[Snort-users] barnyard: alert_syslog2 not working

Andrew R. Baker andrewb at ...950...
Tue Oct 12 08:53:30 EDT 2004


Botwick, Jason (Genworth, Contractor) wrote:
> Here is my barnyard.conf file
>  
> config hostname: x.x.x.x
> config interface: x
> output alert_syslog2: severity: NOTICE; facility: LOCAL1;
> #output alert_syslog: LOG_LOCAL2 LOG_ALERT LOG_NDELAY
> 
> Here are the lines I added to the syslog.conf file:
>  
> local1.*
> /var/log/barnyard.log
> local2.*
> /var/log/barnyard2.log
>  
> I SIGHUP'd both syslogd and barnyard. I even tried rebooting once, but
>  
> Running the command:
>  
> barnyard -o snort.eth1.alert.1097060734 -c /etc/snort/barnyard.conf
>  
> Produces no output in /var/log/barnyard.log
>  
> I have Snort configured to output in unified format. I know that this is
> working because I can get Barnyard to log to a database, and also the
> alert_syslog plugin works fine (using the commented directive above).
>  
> Any ideas why the old syslog plugin works, but the new one doesn't? What am
> I forgetting?

The new syslog2 output plug-in uses UDP sockets to send syslog events to 
the remote server.  This was done to allow it to be used on systems 
without a local syslog daemon.  The most likely scenario is that your 
local syslog daemon is not accepting syslog messages over UDP.  In order 
to use the syslog2 output plug-in you will need to enable this support.

-A

P.S. Barnyard related questions will get my attention much more quickly 
on the Barnyard mailing lists at SourceForge.




More information about the Snort-users mailing list