AW: [Snort-users] reg Snort IDMEF plugin problem, NULL facility

Poppi, Sandro Sandro.Poppi at ...3316...
Wed Mar 30 03:03:18 EST 2005


Please try this in snort.conf:

output idmef: output=log
facility_default=file|/var/log/snort/idmef_alerts.log analyzerid=IDS1

The logto option is deprecated, but I've not yet updated the documentation,
sorry ;)

I'm currently working on a complete rewritten version of snort-idmef which
also includes lot's of additional information generated in the IDMEF
message, and it will reflect the current IDMEF draft 14.

I'll also update the documentation to reflect the new settings.

Best regards,
-----Ursprüngliche Nachricht-----
Von: snort-users-admin at
[mailto:snort-users-admin at] Im Auftrag von Mayank
Gesendet: Mittwoch, 30. März 2005 12:00
An: snort-users at
Betreff: [Snort-users] reg Snort IDMEF plugin problem, NULL facility

hi Snort Users,

I have installed Snort IDMEF plugin. There were some initial problems with 
patching but that were sorted by manually patching the file. I didnt get 
further problems in configure and make, make install. Then I enabled IDMEF 
plugin in configuration in snort.conf, with the following minimum but MUST 

output idmef: output=log logto=/var/log/snort/idmef_alerts.log

and ran snort for some time in default alert mode with -dev options, 

I am getting the following error

ERROR: IDMEF: cannot output messages on a NULL facility

I referred for this error in Snort Users archive and found a similar 

The error refers to the same NULL facility, but there has been no 

Please suggest what could be problem. I am sure there is some 
configuration problem with respect to the output idmef: plugin. But since 
Snort initially says 

IDMEF: No stored alert id.  Continuing with alert id = 1
Snort IDMEF Plugin successfully initialized

it is sugesting IDMEF has been properly initialised.

My OS: Fedora Core release 2 (Tettnang)
Snort version: snort-2.3.0
snort-idmef version: snort-idmef-plugin-1.2.1alpha2.0.5
Libidmef: libidmef-0.7.3-beta (source bz2)

Thanks & Regards,
Mayank Bhatnagar
mayank at ...9923...

68 Electronics City ,
CDAC (Formerly NCST), 
Ph: 080-28523300/28520259-1200
Fax: 080-28520239

SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list