Snort mailing list archives
unified2 merged logging does not work properly when the -s command line parameter
From: Jonathan Kobrick <kobo500 () gmail com>
Date: Mon, 24 Jun 2013 12:57:44 -0400
I wanted to share this finding with the group in case others have hit this issue. Apologies in advance if this is already a known issue or a documented config exception but I couldn't find any reference to this. I was trying to get unified2 merged logging working. As part of our troubleshooting, we upgraded to 2.9.4.6 and still saw this issue. Snort was generating snort.log files even though we had this output plugin configured in snort.conf: output unified2: filename snort.u2, limit 128 output alert_syslog: LOG_AUTH LOG_ALERT They wouldn't being processed by barnyard (2-1.13) and pumped into the database. What I found was that we had a "-s" going in as a parameter when snort was starting. Removing the “-s” on the snort command line (it was in the init.d script, which I'm not sure where it came from. could have been legacy which is what caused our trip up). The -s is to log snort alerts to syslog but that’s not required since we use the syslog output plugin in snort.conf already. The “-s” was apparently conflicting with the unified2 output plugin since we get snort.log files instead of the snort.u2 files. Hopefully this is helpful to someone.
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- unified2 merged logging does not work properly when the -s command line parameter Jonathan Kobrick (Jun 24)