Re: can't log to merged.log file in unified2 format in Version 2.9.9.0

[Marcin Dulak <marcin.dulak () gmail com>]

I'm the message forwarding back to the list.

On Mon, Apr 10, 2017 at 4:55 PM, Berndt, Achim <aberndt () studio-hamburg de>
wrote:

> Hello Marcin,
>
>
>
> I have deleted all files in /var/log/snort, before I started snort again.
>
> It seems, that snort doesn’t accept the option “output unified2: filename
> merged.u2, limit 128, nostamp”.
>
> Snort writes to 2 other filenames, “snort.log.timestamp” and “alert”, in
> the pcap format.
>
> Only if I activate the option “output log_unified2: filename snort.u2,
> limit 128, nostamp”
>
> Snort writes in unified2 format. But unfortunately not the combined
> version.
>
>
>
> Regards
>
> Achim
>
>
>
> *Von:* Marcin Dulak [mailto:marcin.dulak () gmail com]
> *Gesendet:* Montag, 10. April 2017 13:10
> *An:* Berndt, Achim <aberndt () studio-hamburg de>
> *Cc:* snort-users () lists sourceforge net
> *Betreff:* Re: [Snort-users] can't log to merged.log file in unified2
> format in Version 2.9.9.0
>
>
>
>
>
>
>
> On Mon, Apr 10, 2017 at 11:58 AM, Berndt, Achim <aberndt () studio-hamburg de>
> wrote:
>
> Hello,
>
> I have a problem to activate logging to merged.log file in unified2 format,
> but not with separated logfiles snort.alert and snort.u2?!
> It worked with the same config in Version 2.9.8.3 with no problems.
> Snort started with following options:
>
> ? /usr/sbin/snort -d -D -i eth4 -u snort -g snort -c /etc/snort/snort.conf
> -l /var/log/snort
> Config setup for merged logfile:
>
> ? output unified2: filename merged.u2, limit 128, nostamp
>
> ? generate 2 files (alert, snort.log.timestamp) in pcap format
>
>
>
> this is surprising - are you sure these files are not from a previous run
> or due some other output options are active in snort.conf in addition to
> "output unified2"?
>
> Do you need both alerts + payloads in merged.u2 or only alerts? If the
> latter then -N command line switch is needed when starting snort.
>
> Note that snort.conf alone is not sufficient for controlling the output
> options - the -y and -N command line switches also have an effect on what
> log files are generated.
>
>
>
> Marcin
>
>
>
> Config for separated logfiles:
>
> ? output alert_unified2: filename snort.alert, limit 128, nostamp
>
> ? output log_unified2: filename snort.u2, limit 128, nostamp
>
> ? generate 2 files (snort.alert, snort.u2) in unified2 format
> Any ideas?
>
> Regards
> Achim
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!