[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

Paul Schmehl pauls at ...6838...
Sat Aug 20 11:39:05 EDT 2005

--On August 20, 2005 12:10:13 PM -0500 
eric-list-snort-users at ...11523... wrote:

> On Sat, 2005-08-20 at 11:55:45 -0500, Paul Schmehl proclaimed...
>> Delete your waldo file (/var/log/snort/log/snort_ids.log) and allow
>> barnyard to recreate it.  It's apparently corrupted.
> Deleted, but it didn't fix anything.
Restart barnyard, but add -v to make it more verbose.  If that doesn't tell 
you anything, then add a second or third v.

If you delete the waldo file, barnyard *should* reread all the log files 
(giving you duplicates in your db.)  If it still isn't reading the 
logfiles, then remove the waldo switch.  If it *still* won't load the 
files, there's something wrong with the files.  Either they're not in 
unified format or they're screwed up in a way that makes it impossible for 
barnyard to parse them.

The waldo file should look something like this:

# less /usr/local/etc/waldo.file

Check to see if the snort log files are binary.  If they aren't then snort 
isn't logging in unified format.

>> I also strongly recommend that you do not use localtime with barnyard.
>> It  causes problems during the change from daylight savings to "normal"
>> time.
> Done, but that didn't fix anything either.
This wasn't intended to fix anything regarding your present problem.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-users mailing list