[Snort-users] Unable to configure unified2 output
cummingsj at ...11827...
Wed Mar 31 11:29:36 EDT 2010
You should also verify that you have not specified any additional output
On Wed, Mar 31, 2010 at 9:23 AM, Todd Wease <twease at ...1935...> wrote:
> On 03/30/2010 06:19 PM, Mike Lococo wrote:
> > Greetings,
> > I recently attempted to migrate to merged alert/log unified2 output
> > using the following config:
> > output unified2: filename snort-unified2.log, limit 128
> > When running this config I get snort.log.[epochtime] files instead of
> > the snort-unified2.log.[epochtime] files that I expect. The snort.log
> > files are tcpdump formatted... not unified2. It's not clear to my why
> > this config doesn't work, it should be valid according to the manual and
> > to many mailing-list examples.
> > If I make a trivial change to the config above...
> > output log_unified2: filename snort-unified2.log, limit 128
> > ... the tcpdump-formatted files are no longer created, and I do see
> > snort-unified2.log.[epochtime] files as expected. However, I'd like to
> > have a "merged" unified2 log with both alert and log information in it
> > as is specified in the previous "broken" config.
> > If I run snort with no output-line configured at all, I get the same
> > tcpdump-formatted snort.log files as I get with my broken unified2
> > config, which makes me think that there is something causing my config
> > line to be ignored and I'm falling through to a default.
> > My initial configuration used the original unified "log" output and
> > behaves as expected:
> > output log_unified: filename snort0.log, limit 128
> > This created the expected snort0.log.[epochtime] files in
> > /var/log/snort, and has worked well for quite some time. I can switch
> > back to this config now and it still works as expected, so I feel fairly
> > confident in the rest of my snort config/infrastructure.
> > Additional possibly relevant info:
> > * I'm running the latest stable snort (22.214.171.124 - Build 124).
> > * When running snort from the command line, I don't see any useful
> > output printed to the screen in any of my test cases. The only relevant
> > line appears to be "Initializing Output Plugins!", which never changes
> > or echoes the output configuration that is being initialized.
> > * A similar problem was reported in the forum in November with no
> > response:
> > Does anyone have any ideas about what could be going wrong, or
> > additional troubleshooting steps to take? Since there's no error or
> > problem indicator (other than failure to produce the desired logs) I'm
> > not sure what to check next.
> > Thanks,
> > Mike Lococo
> Can you post the command line you are using and your snort.conf so we
> can take a look?
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users