[Snort-users] Problem with barnyard 0.2.0 and snort 2.4.0
pauls at ...6838...
Sat Aug 20 11:39:05 EDT 2005
--On August 20, 2005 12:10:13 PM -0500
eric-list-snort-users at ...11523... wrote:
> On Sat, 2005-08-20 at 11:55:45 -0500, Paul Schmehl proclaimed...
>> Delete your waldo file (/var/log/snort/log/snort_ids.log) and allow
>> barnyard to recreate it. It's apparently corrupted.
> Deleted, but it didn't fix anything.
Restart barnyard, but add -v to make it more verbose. If that doesn't tell
you anything, then add a second or third v.
If you delete the waldo file, barnyard *should* reread all the log files
(giving you duplicates in your db.) If it still isn't reading the
logfiles, then remove the waldo switch. If it *still* won't load the
files, there's something wrong with the files. Either they're not in
unified format or they're screwed up in a way that makes it impossible for
barnyard to parse them.
The waldo file should look something like this:
# less /usr/local/etc/waldo.file
Check to see if the snort log files are binary. If they aren't then snort
isn't logging in unified format.
>> I also strongly recommend that you do not use localtime with barnyard.
>> It causes problems during the change from daylight savings to "normal"
> Done, but that didn't fix anything either.
This wasn't intended to fix anything regarding your present problem.
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-users