[Snort-devel] 2.9.2-1 - Missing Alerts in Unified2 - Partial Alert in Unified

Michael R Gilliam techsavvy at ...3250...
Thu Feb 2 11:45:22 EST 2012


Has anyone expereinced an issue that occurs when having output directed to two destinations, both a unified format and unified2 format, there are partial alerts that show up in the unified file (alert, but no packet/session data) and the alert and packet/session data is completely missing out of the unified2 file? Otherwise, for the most part (99% of the time), all alerts and packets/session data match . 

running snort2.9.2-1 
daq 0.6.2 


snort.conf output is set up as 
output unified2: filename snort.log, limit 128 
output alert_unified:filename /var/log/snort/log2.alert, limit 128 
output log_unified: filename /var/log/snort/log2.log, limit 128 

Thanks, 
Mike 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120202/ba84deaa/attachment.html>


More information about the Snort-devel mailing list