[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0

Paul Schmehl pauls at ...6838...
Sat Aug 20 11:39:05 EDT 2005


--On August 20, 2005 12:10:13 PM -0500 
eric-list-snort-users at ...11523... wrote:

> On Sat, 2005-08-20 at 11:55:45 -0500, Paul Schmehl proclaimed...
>
>> Delete your waldo file (/var/log/snort/log/snort_ids.log) and allow
>> barnyard to recreate it.  It's apparently corrupted.
>
> Deleted, but it didn't fix anything.
>
Restart barnyard, but add -v to make it more verbose.  If that doesn't tell 
you anything, then add a second or third v.

If you delete the waldo file, barnyard *should* reread all the log files 
(giving you duplicates in your db.)  If it still isn't reading the 
logfiles, then remove the waldo switch.  If it *still* won't load the 
files, there's something wrong with the files.  Either they're not in 
unified format or they're screwed up in a way that makes it impossible for 
barnyard to parse them.

The waldo file should look something like this:

# less /usr/local/etc/waldo.file
/var/log/snort/
snort.log
1124382173
3138

Check to see if the snort log files are binary.  If they aren't then snort 
isn't logging in unified format.

>> I also strongly recommend that you do not use localtime with barnyard.
>> It  causes problems during the change from daylight savings to "normal"
>> time.
>
> Done, but that didn't fix anything either.
>
This wasn't intended to fix anything regarding your present problem.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/




More information about the Snort-users mailing list