[Snort-users] FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..."

Billy Marshall Billy.Marshall at ...9988...
Thu Aug 26 09:51:23 EDT 2010


as far as the chown command, yes, it is a typo. 
However, file location is a matter of preference and where ever the config files live you need to match them with how snort/barnyard is invoked. This could be a startup script or within the .conf files themselves.
 
On the note that they fail to report try:
mysql -usnort -p<your mysql password> -D snort -e "select count(*) from event"
 
run this a few times if the database grows then either barnyard or snort is logging.
Verify which by either commenting out 
output unified2: filename <your file name>, limit 128 --- from snort.conf for barnyard logging
or
output database: log, mysql, user=snort password=<your password> dbname=snort host=localhost --- from snort.conf for snort logging
 
Last you may look in your log files where the alerts are kept to see if they are proper ownership. I have noticed if I run snort as a different user it creates an alert.xxx file with different ownership and when I start it with snort it gets hosed because of permissions. e.g make sure all log files for snort alerts are:
chown snort:snort <path to log files>
 
 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100826/c238b085/attachment.html>


More information about the Snort-users mailing list