[Snort-users] Snort not logging to unified2

Sacher, Désirée Desiree.Sacher at ...15556...
Wed Jan 30 04:35:05 EST 2013

Hi all

I have had snort distributed over 6 servers and about 30 interfaces for a few years now. We recently upgraded to 2.9.3 and I'm still trying to get barnyard2 to work with the logging to mysql. Now I've read of a few people who have issues when using snort on several interfaces, that the output is logged to pcap and not to unified2, which is what also happens here.

Snort.conf is configured to log to unified2 (and syslog, but that part works fine):
output unified2: filename snort.u2, limit 128
output alert_syslog: LOG_LOCAL7 LOG_WARNING LOG_NDELAY

the file is written but in pcap and not u2.  (error when trying to read it with u2spewfoo),
it's started up with the following attributes:
snort     9485     1  0 09:41 ?        00:00:16 /usr/sbin/snort -s -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
snort     9495     1  0 09:41 ?        00:00:00 /usr/sbin/snort -s -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2

root at ...8349...:/var/log/snort/eth1# tcpdump -r snort.log.1359535265
reading from file snort.log.1359535265, link-type EN10MB (Ethernet)
10:02:15.777196 IP > ICMP echo request, id 1, seq 25, length 40
10:02:16.777892 IP > ICMP echo request, id 1, seq 26, length 40
10:02:17.776212 IP > ICMP echo request, id 1, seq 27, length 40
10:02:18.774413 IP > ICMP echo request, id 1, seq 28, length 40

Can someone point me to why this problem occurs and how to fix it? Google didn't help me yet and I couldn't find the solution in old mailing list entries.

Thank you

The content of this e-mail is intended only for the confidential use of the person addressed. 
If you are not the intended recipient, please notify the sender and delete this email immediately.
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130130/acc7f599/attachment.html>

More information about the Snort-users mailing list