[Snort-users] Re: Barnyard not Updating MySQL

Someone.you dont.like maps.this.address at ...11827...
Sun Aug 28 09:09:20 EDT 2005


The waldo.file was indeed the culprit. I removed it and restarted
Barnyard; from what you said on IRC and I'm quoting,

"
jesler> barnyard has to process the file and remember where it is at.
jesler> so it won't create/update a waldo file until it gets done
processing the unified file.
"

I believe a while back when I run Barnyard with waldo.file option, the
ASCII format alert/log files had the same name as unified format files
(specified in snort.conf), my first mistake. Second, when I ran
Barnyard and didn't see waldo.file, I created one myself from the
command one rather letting Barnyard generate one because Barnyard as
You said was processing the unified file for a while and I wasn't
patient to wait around.

So my suggestion for others is, change the alert/log name of unified
format filenames in snort.conf to be dissimilar than your old
alert/log files in other formats (csv, ascii...).
output alert_unified: filename snort-unified.alert, limit 128...

And make sure after initiating Barnyard, the waldo.file is processing
the correct unified log file. So if snort-unified.alert.11235645856 is
the log file being written to by Snort, make sure it is the same file
in your waldo.file. And last but not least, give Barnyard a chance to
create the waldo file.

Thank you J. Esler




More information about the Snort-users mailing list