[Snort-users] Not getting unified2 output

mulhern mulhern at ...11827...
Mon Jul 22 13:03:16 EDT 2013


Done! And now I see merged.log and it's the correct format.

- mulhern


On Mon, Jul 22, 2013 at 12:26 PM, beenph <beenph at ...11827...> wrote:

> Remove -A fast and -b from your snort command line.
>
> -elz
>
>
> On Mon, Jul 22, 2013 at 12:14 PM, mulhern <mulhern at ...11827...> wrote:
> > Hi all,
> >
> > My snort.conf file is set up for unified output.
> >
> > My sysconfig file specifies a lot of things, resulting an invocation of
> > snort init script with the following options
> >
> > -A fast -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l
> > /var/log/snort/eth0
> >
> > I've set snort.conf with line
> >
> > output unified2: filename merged.log, limit 128
> >
> > I've set up a local-test.rules file that alerts on everything.
> >
> > I can not find the merged.log file anywhere. I can find a snort.log
> which is
> > filling up with all sorts of data in tcpdump format, due to the -b flag.
> > There's also an alert file which is filling up with text, due to the -A
> fast
> > option.
> >
> > But where should I be looking for unified2 output?
> >
> > Thanks!
> >
> > - mulhern
> >
> >
> ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130722/16f50a5d/attachment.html>


More information about the Snort-users mailing list