[Snort-users] snort not logging

Pardeep Dhiman pardeep_dhiman at ...125...
Thu Aug 23 02:43:21 EDT 2012


Hi Guys

 

I have followed this below guide to install Snort on Ubuntu 12.04. Snort is
not logging anything into snort.u2.xxxxxx or database. There is no error in
syslog. I can see it is running but not logs. 

 

If I run like this /usr/local/snort/bin/snort -A console -i eth1 

I can see a lot traffic on this interface 

 

 

Guide URL: 

http://www.snort.org/assets/158/snortinstallguide293.pdf

 

 

#ls -l  /var/log/snort/

total 4

-rw-r--r-- 1 snort snort 2056 Aug 23 16:36 barnyard2.waldo

-rw------- 1 snort snort    0 Aug 23 15:05 snort.u2.1345698347

-rw------- 1 snort snort    0 Aug 23 15:14 snort.u2.1345698890

-rw------- 1 snort snort    0 Aug 23 15:15 snort.u2.1345698954

-rw------- 1 root  root     0 Aug 23 15:18 snort.u2.1345699083

-rw------- 1 snort snort    0 Aug 23 15:25 snort.u2.1345699538

-rw------- 1 snort snort    0 Aug 23 15:55 snort.u2.1345701330

-rw------- 1 snort snort    0 Aug 23 16:32 snort.u2.1345703561

-rw------- 1 snort snort    0 Aug 23 16:36 snort.u2.1345703783

 

 

 

 

 

# ps aux | grep snort

 

snort    11021 14.5  1.3 352020 115260 ?       Rsl  15:55   5:08
/usr/local/snort/bin/snort -D -u snort -g snort -c
/usr/local/snort/etc/snort.conf -i eth1

root     11024  0.0  0.0  21580  7064 ?        Ss   15:55   0:00
/usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G
/usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d
/var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

 

 

tail /var/log/syslog

 

 

Aug 23 16:32:41 vcids01 snort[13079]: [ Number of patterns truncated to 20
bytes: 422 ]

Aug 23 16:32:41 vcids01 snort[13079]: pcap DAQ configured to passive.

Aug 23 16:32:41 vcids01 snort[13079]: Acquiring network traffic from "eth1".

Aug 23 16:32:41 vcids01 snort[13079]: Initializing daemon mode

Aug 23 16:32:41 vcids01 snort[13080]: Daemon initialized, signaled parent
pid: 13079

Aug 23 16:32:41 vcids01 snort[13080]: Reload thread starting...

Aug 23 16:32:41 vcids01 snort[13080]: Reload thread started, thread
0xa611fb40 (13080)

Aug 23 16:32:41 vcids01 kernel: [ 4045.644037] device eth1 entered
promiscuous mode

Aug 23 16:32:41 vcids01 snort[13080]: Decoding Ethernet

Aug 23 16:32:41 vcids01 snort[13080]: Checking PID path...

Aug 23 16:32:41 vcids01 snort[13080]: PID path stat checked out ok, PID path
set to /var/run/

Aug 23 16:32:41 vcids01 snort[13080]: Writing PID "13080" to file
"/var/run//snort_eth1.pid"

Aug 23 16:32:41 vcids01 snort[13080]: Set gid to 1001

Aug 23 16:32:41 vcids01 snort[13080]: Set uid to 1001

Aug 23 16:32:41 vcids01 snort[13080]:

Aug 23 16:32:41 vcids01 snort[13080]:         --== Initialization Complete
==--

Aug 23 16:32:41 vcids01 snort[13080]: Commencing packet processing
(pid=13080)

Aug 23 16:32:42 vcids01 barnyard2[13082]: Running in Continuous mode

Aug 23 16:32:42 vcids01 barnyard2[13082]:

Aug 23 16:32:42 vcids01 barnyard2[13082]:         --== Initializing
Barnyard2 ==--

Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Input Plugins!

Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Output Plugins!

Aug 23 16:32:42 vcids01 barnyard2[13082]: Parsing config file
"/usr/local/snort/etc/barnyard2.conf"

Aug 23 16:32:43 vcids01 barnyard2[13082]: Log directory = /var/log/barnyard2

Aug 23 16:32:43 vcids01 barnyard2[13082]: Initializing daemon mode

Aug 23 16:32:43 vcids01 barnyard2[13082]: Daemon parent exiting

Aug 23 16:32:43 vcids01 barnyard2[13083]: Daemon initialized, signaled
parent pid: 13082

Aug 23 16:32:43 vcids01 barnyard2[13083]: PID path stat checked out ok, PID
path set to /var/run/

Aug 23 16:32:43 vcids01 barnyard2[13083]: Writing PID "13083" to file
"/var/run//barnyard2_eth1.pid"

Aug 23 16:32:43 vcids01 barnyard2[13083]: Last event seen for sid 1 was 0

Aug 23 16:32:43 vcids01 barnyard2[13083]: database: compiled support for
(mysql)

Aug 23 16:32:43 vcids01 barnyard2[13083]: database: configured to use mysql

Aug 23 16:32:43 vcids01 barnyard2[13083]: database: schema version = 107

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:           host =
localhost

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:           user = snort

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:  database name = snort

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:    sensor name =
localhost:eth1

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:      sensor id = 1

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:     sensor cid = 1

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:  data encoding = hex

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:   detail level = full

Aug 23 16:32:43 vcids01 barnyard2[13083]: database:     ignore_bpf = no

Aug 23 16:32:43 vcids01 barnyard2[13083]: database: using the "log" facility

Aug 23 16:32:43 vcids01 barnyard2[13083]:

Aug 23 16:32:43 vcids01 barnyard2[13083]:         --== Initialization
Complete ==--

Aug 23 16:32:43 vcids01 barnyard2[13083]: Barnyard2 initialization completed
successfully (pid=13083)

Aug 23 16:32:43 vcids01 barnyard2[13083]: Using waldo file
'/var/log/snort/barnyard2.waldo':#012    spool directory =
/var/log/snort#012    spool filebase  = snort.u2#012    time_stamp      =
1345701330#012    record_idx      = 0

Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file
'/var/log/snort/snort.u2.1345701330'

Aug 23 16:32:43 vcids01 barnyard2[13083]: Closing spool file
'/var/log/snort/snort.u2.1345701330'. Read 0 records

Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file
'/var/log/snort/snort.u2.1345703561'

Aug 23 16:32:43 vcids01 barnyard2[13083]: Waiting for new data

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120823/6f3a81e3/attachment.html>


More information about the Snort-users mailing list