[Snort-users] Re: [Barnyard-users] barnyard logging mysteries

Bamm Visscher bamm.visscher at ...11827...
Tue Nov 30 16:10:02 EST 2004


Don't use 'sensor_id 1'. Use 'sensor_id 0'. 

Bammkkkk



On Tue, 30 Nov 2004 17:39:54 -0600, Chris McClimans
<barnyard-users at ...12733...> wrote:
> I'm ccing snort-users and barnyard-users since barnyard-users looks to
> be a bit quiet recently.
> 
> Two questions...
> 
> Should I be generating both a log and alert unified log and processing
> each with it's own barnyard process or does log include the data in
> alert? I've seen some posts on this, but nothing definitive or
> documented.
> 
> Secondly is there anyway to get more information on failures in
> barnyard processing besides -v? I'm looking at a pretty simple
> configuration in barnyard that should be shooting stuff over to a mysql
> setup for acid. As the mysql session shows, there are events in the
> database, but no sensors. With the limited data acid doesn't function
> properly.
> -chris
> 
> cat /etc/snort/barnyard.conf
> config daemon
> config hostname:mynifty host
> output log_acid_db: mysql, sensor_id 1, database snort, server
> 127.0.0.1, user xxxxxx, password xxxxx, detail full
> output alert_acid_db: mysql, sensor_id 1, database snort, server
> 127.0.0.1, user xxxxxx, password xxxxx, detail full
> 
> tail /var/log/daemon.log
> Nov 30 17:15:54 localhost barnyard[14987]: Initializing daemon mode
> Nov 30 17:15:54 localhost barnyard[14988]: Opened spool file
> '/var/log/snort/snort.unified.log.1101856179'
> Nov 30 17:15:54 localhost barnyard[14988]: Waiting for new data
> 
> mysql snort
> mysql> select COUNT(*) from event;
> +----------+
> | COUNT(*) |
> +----------+
> |       87 |
> +----------+
> 1 row in set (0.00 sec)
> 
> mysql> select COUNT(*) from sensor;
> +----------+
> | COUNT(*) |
> +----------+
> |        0 |
> +----------+
> 1 row in set (0.00 sec)
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Barnyard-users mailing list
> Barnyard-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/barnyard-users
> 


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list