[Snort-users] Unable to configure unified2 output
twease at ...1935...
Wed Mar 31 11:23:47 EDT 2010
On 03/30/2010 06:19 PM, Mike Lococo wrote:
> I recently attempted to migrate to merged alert/log unified2 output
> using the following config:
> output unified2: filename snort-unified2.log, limit 128
> When running this config I get snort.log.[epochtime] files instead of
> the snort-unified2.log.[epochtime] files that I expect. The snort.log
> files are tcpdump formatted... not unified2. It's not clear to my why
> this config doesn't work, it should be valid according to the manual and
> to many mailing-list examples.
> If I make a trivial change to the config above...
> output log_unified2: filename snort-unified2.log, limit 128
> ... the tcpdump-formatted files are no longer created, and I do see
> snort-unified2.log.[epochtime] files as expected. However, I'd like to
> have a "merged" unified2 log with both alert and log information in it
> as is specified in the previous "broken" config.
> If I run snort with no output-line configured at all, I get the same
> tcpdump-formatted snort.log files as I get with my broken unified2
> config, which makes me think that there is something causing my config
> line to be ignored and I'm falling through to a default.
> My initial configuration used the original unified "log" output and
> behaves as expected:
> output log_unified: filename snort0.log, limit 128
> This created the expected snort0.log.[epochtime] files in
> /var/log/snort, and has worked well for quite some time. I can switch
> back to this config now and it still works as expected, so I feel fairly
> confident in the rest of my snort config/infrastructure.
> Additional possibly relevant info:
> * I'm running the latest stable snort (126.96.36.199 - Build 124).
> * When running snort from the command line, I don't see any useful
> output printed to the screen in any of my test cases. The only relevant
> line appears to be "Initializing Output Plugins!", which never changes
> or echoes the output configuration that is being initialized.
> * A similar problem was reported in the forum in November with no
> Does anyone have any ideas about what could be going wrong, or
> additional troubleshooting steps to take? Since there's no error or
> problem indicator (other than failure to produce the desired logs) I'm
> not sure what to check next.
> Mike Lococo
Can you post the command line you are using and your snort.conf so we
can take a look?
More information about the Snort-users