[Snort-users] output options in barnyard
giermo at ...187...
Wed Jul 31 15:29:04 EDT 2002
Damn, I just figured it out...
Alert_fast is an ALERT plugin. If you don't have barnyard processing the
unified ALERT file you will get no alerts sent to alert_fast.
Is there any way to get a single instance of Barnyard to process snort.alert
and snort.log files?
the -f switch is where you specify the input filename, can you call -f
barnyard -d /var/log/snort -f snort.log -f snort.alert -L /var/log/barnyard
>> Chris Eidem wrote:
>> > I'm all confused, in barnyard.conf, alert_fast and log_pcap take an
>> > filename as an argument, but docs/USAGE states they do not. I'm
>> > assuming that they don't since barnyard complains mightily
>> if they're
>> > there. Ok, so I don't add a file name, but then, what is
>> written where?
>> > I've looked in ./, /var/log, /var/log/snort, but no joy.
>> The conf file is correct in this case. What error is it
>> giving when you
>> specify a filename?
>here's the output from reload of the .conf file (shown bottom):
>root at ...3953... /usr/local/snort-beta$ kill -HUP 27669
>Loading Data Processors...
>root at ...3953... /usr/local/snort-beta$ dp_stream_stat loaded
>Loading Built-in Output Plugins...
>Fast Alert plugin initialized
>Log Dump plugin initialized
>AcidDb output plugin initialized
>Parsing Config file: by-xl1.conf
>WARNING by-xl1.conf(8) => Unknown output plugin "alert_fast alert-xl1"
>referenced, ignoring!Args: mysql, sensor_id 1, database stest, server
>localhost, user snort, detail full, password snort
>WARNING ./classification.config(95): Duplicate classification
>"not-suspicious"found, ignoring this line
>[similar './classification.config(X):' warnings deleted for brevity ]
>Barnyard Version 0.1.0-rc2 (Build 11) started
>OpAcidDB configuration details
>Database Flavour: mysql
>Detail Level: Full
>Database Server: localhost
>Database User: snort
>config hostname: cubanelle
>config interface: xl1
>config filter: not port 22
>output alert_fast alert-xl1
># output alert_acid_db: mysql, sensor_id 1, database stest, server
>localhost, user snort, password snort
>output log_acid_db: mysql, sensor_id 1, database stest, server
>localhost, user snort, detail full, password xxxxxxxxx
>thanks for your help,
> - chris
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users