[Snort-users] FW: Snort 2.8.6 & Snort Report 1.3.1 with "NoData..."
Billy.Marshall at ...9988...
Thu Aug 26 09:51:23 EDT 2010
as far as the chown command, yes, it is a typo.
However, file location is a matter of preference and where ever the config files live you need to match them with how snort/barnyard is invoked. This could be a startup script or within the .conf files themselves.
On the note that they fail to report try:
mysql -usnort -p<your mysql password> -D snort -e "select count(*) from event"
run this a few times if the database grows then either barnyard or snort is logging.
Verify which by either commenting out
output unified2: filename <your file name>, limit 128 --- from snort.conf for barnyard logging
output database: log, mysql, user=snort password=<your password> dbname=snort host=localhost --- from snort.conf for snort logging
Last you may look in your log files where the alerts are kept to see if they are proper ownership. I have noticed if I run snort as a different user it creates an alert.xxx file with different ownership and when I start it with snort it gets hosed because of permissions. e.g make sure all log files for snort alerts are:
chown snort:snort <path to log files>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users