[Snort-users] Snort not logging to unified2
Desiree.Sacher at ...15556...
Wed Jan 30 04:35:05 EST 2013
I have had snort distributed over 6 servers and about 30 interfaces for a few years now. We recently upgraded to 2.9.3 and I'm still trying to get barnyard2 to work with the logging to mysql. Now I've read of a few people who have issues when using snort on several interfaces, that the output is logged to pcap and not to unified2, which is what also happens here.
Snort.conf is configured to log to unified2 (and syslog, but that part works fine):
output unified2: filename snort.u2, limit 128
output alert_syslog: LOG_LOCAL7 LOG_WARNING LOG_NDELAY
the file is written but in pcap and not u2. (error when trying to read it with u2spewfoo),
it's started up with the following attributes:
snort 9485 1 0 09:41 ? 00:00:16 /usr/sbin/snort -s -D -i eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
snort 9495 1 0 09:41 ? 00:00:00 /usr/sbin/snort -s -D -i eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
root at ...8349...:/var/log/snort/eth1# tcpdump -r snort.log.1359535265
reading from file snort.log.1359535265, link-type EN10MB (Ethernet)
10:02:15.777196 IP 220.127.116.11 > 18.104.22.168: ICMP echo request, id 1, seq 25, length 40
10:02:16.777892 IP 22.214.171.124 > 126.96.36.199: ICMP echo request, id 1, seq 26, length 40
10:02:17.776212 IP 188.8.131.52 > 184.108.40.206: ICMP echo request, id 1, seq 27, length 40
10:02:18.774413 IP 220.127.116.11 > 18.104.22.168: ICMP echo request, id 1, seq 28, length 40
Can someone point me to why this problem occurs and how to fix it? Google didn't help me yet and I couldn't find the solution in old mailing list entries.
The content of this e-mail is intended only for the confidential use of the person addressed.
If you are not the intended recipient, please notify the sender and delete this email immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users