[Snort-users] Re: [Barnyard-users] Barnyard alert_fast and log_dump question ...

Sam Evans wintrmte at ...11827...
Mon Oct 4 20:12:27 EDT 2004


Thanks for the reply .. 

Do you know if this type of functionality will be added into future
updates of Barnyard?  I could probably hack something together, but
would rather have something more official as my C skills are quite
weak.

Thanks again,
Sam



On Mon, 4 Oct 2004 19:47:47 -0500, Bamm Visscher
<bamm.visscher at ...11827...> wrote:
> You have to run two instances of barnyard as it can't process two
> unified filetypes at the same time.  The only other option right now
> would be to hack together a custom output plugin that read unified log
> and outputed to both the db and an alert fast type output.
> 
> Bammkkkk
> 
> 
> 
> 
> On Mon, 4 Oct 2004 17:00:05 -0600, Sam Evans <wintrmte at ...11827...> wrote:
> > Sorry for the X-Post, but the barnyard-users list appears to be either
> > dead, or incredibly inactive..
> >
> > Anyhow, I am hoping that someone here know the answer to my question..
> >
> > I am trying to log both the alert_fast and log_dump information.  The
> > problem I am running into is this...
> >
> > If I use the -f option (base file name) and specify the alert unified
> > file, then it logs the alert_fast information to both syslog and plain
> > text file (exactly as I want).  What I don't get, is any of the packet
> > dump information being logged to the database, or the packet.dump file
> >  (Which, this makes sense because the alert unified file contains just
> > that, alert fast info).
> >
> > Now, if I tell -f to use the log unified file, then I get exaclty the
> > opposite..  Nothing gets logged to Syslog, or the alert.fast plain
> > text file.  I do get my packet.dump plain text file as well as full
> > packet information into the database.  Ideally, I could live with this
> > scenario if it would just log the alert fast information to Syslog....
> >
> > My question here is, how do I get both?
> >
> > Thanks,
> > Sam
> >
> 
> 
> --
> sguil - The Analyst Console for NSM
> http://sguil.sf.net
>




More information about the Snort-users mailing list