[Snort-users] unified format

Igor Belikov ivb at ...13431...
Fri Aug 19 04:38:14 EDT 2005


Hello Roland,

Friday, August 19, 2005, 1:50:11 PM, you wrote:

>> When I run barnyard to monitor unified log - no events stored in DB.
>> Please, anybody can help me to configure barnyard?

RTS> At this point, we probably need to see your snort and barnyard
RTS> configuration files.

 - >8 - - >8 - - >8 -  part of snort.conf  - >8 - - >8 - - >8 -

output alert_unified: filename snort.alert, limit 128
output log_unified: filename snort.log, limit 128

 - >8 - - >8 - - >8 -  part of snort.conf  - >8 - - >8 - - >8 -


 - >8 - - >8 - - >8 -  part of barnyard.conf  - >8 - - >8 - - >8 -
 
output alert_acid_db: mysql, sensor_id 1, database snort, server xxxx, user xxxx, password xxxx
output log_acid_db: mysql, sensor_id 1, database snort, server xxxx, user xxxx, password xxxx, detail full

 - >8 - - >8 - - >8 -  part of barnyard.conf  - >8 - - >8 - - >8 -

 
 - >8 - - >8 - - >8 -  part of running script  - >8 - - >8 - - >8 -

SNORT_BIN=/usr/local/snort/bin/snort
SNORT_CONF=/usr/local/snort/etc/snort.conf
SNORT_LOG=/var/log/snort
BARNYARD_BIN=/usr/local/barnyard/bin/barnyard
BARNYARD_CONF=/usr/local/barnyard/etc/barnyard.conf
 
startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF

startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f snort.alert -w $SNORT_LOG/barnyard.waldo

 - >8 - - >8 - - >8 -  part of running script  - >8 - - >8 - - >8 -

(-g, -s and -p in barnyard cmdline are omitted in above example)


When I use "-f snort.alert" - I get alert events in DB, but don't get
payload. When I use "-f snort.log" - I don't get alert events in DB.


-- 
Best regards,
 Igor                            mailto:ivb at ...13431...





More information about the Snort-users mailing list