[Snort-users] multiple instances of snort and barnyard

Spencer Anderson sanderson at ...11591...
Wed Aug 23 10:41:05 EDT 2006

I run several instances of Snort on SuSE Linux (to monitor traffic on
2-3 NICs) and I have been logging directly to a MySQL database. I would
like to start using the unified output and barnyard.  I have it working
for the most part, the problem is I have a unified output file for each
interface that I have snort listening on and I can't get multiple
instances of barnyard to run in continuous mode to process each log

I'd prefer to run barnyard in batch mode in 10 minute intervals on each
log file, I can't seem to do that either without restarting snort each
time after I run barnyard to create a new unified log file. 

Is there a way to run barnyard in batch mode so that each time it's run
against a file it only processes events that it hasn't processed before?

Or, is there a way to have multiple continuous instances of barnyard
running so each instance can maintain its corresponding snort unified
log file? 

Or, is there a better way to have each event captured by snort
associated with the network interface it was detected on? 

SuSE Enterprise 9 
Snort 2.4.5 
Barnyard 0.2.0 


