[Snort-users] Unable to configure unified2 output

JJ Cummings cummingsj at ...11827...
Wed Mar 31 11:29:36 EDT 2010


You should also verify that you have not specified any additional output
types....

On Wed, Mar 31, 2010 at 9:23 AM, Todd Wease <twease at ...1935...> wrote:

> On 03/30/2010 06:19 PM, Mike Lococo wrote:
> > Greetings,
> >
> > I recently attempted to migrate to merged alert/log unified2 output
> > using the following config:
> >
> >     output unified2: filename snort-unified2.log, limit 128
> >
> > When running this config I get snort.log.[epochtime] files instead of
> > the snort-unified2.log.[epochtime] files that I expect.  The snort.log
> > files are tcpdump formatted... not unified2.  It's not clear to my why
> > this config doesn't work, it should be valid according to the manual and
> > to many mailing-list examples.
> >
> > If I make a trivial change to the config above...
> >
> >     output log_unified2: filename snort-unified2.log, limit 128
> >
> > ... the tcpdump-formatted files are no longer created, and I do see
> > snort-unified2.log.[epochtime] files as expected.  However, I'd like to
> > have a "merged" unified2 log with both alert and log information in it
> > as is specified in the previous "broken" config.
> >
> > If I run snort with no output-line configured at all, I get the same
> > tcpdump-formatted snort.log files as I get with my broken unified2
> > config, which makes me think that there is something causing my config
> > line to be ignored and I'm falling through to a default.
> >
> > My initial configuration used the original unified "log" output and
> > behaves as expected:
> >
> >     output log_unified: filename snort0.log, limit 128
> >
> > This created the expected snort0.log.[epochtime] files in
> > /var/log/snort, and has worked well for quite some time.  I can switch
> > back to this config now and it still works as expected, so I feel fairly
> > confident in the rest of my snort config/infrastructure.
> >
> > Additional possibly relevant info:
> > * I'm running the latest stable snort (2.8.5.3 - Build 124).
> > * When running snort from the command line, I don't see any useful
> > output printed to the screen in any of my test cases.  The only relevant
> > line appears to be "Initializing Output Plugins!", which never changes
> > or echoes the output configuration that is being initialized.
> > * A similar problem was reported in the forum in November with no
> > response:
> >
> https://forums.snort.org/forums/snort-newbies/topics/problems-enabling-unified2-logging
> >
> > Does anyone have any ideas about what could be going wrong, or
> > additional troubleshooting steps to take?  Since there's no error or
> > problem indicator (other than failure to produce the desired logs) I'm
> > not sure what to check next.
> >
> > Thanks,
> > Mike Lococo
> >
>
> Mike,
>
> Can you post the command line you are using and your snort.conf so we
> can take a look?
>
> Thanks,
> Todd
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100331/ecf1b34b/attachment.html>


More information about the Snort-users mailing list