[Snort-users] unified2 merged logging does not work properly when the -s command line parameter

Jonathan Kobrick kobo500 at ...11827...
Mon Jun 24 12:57:44 EDT 2013


I wanted to share this finding with the group in case others have hit this
issue.  Apologies in advance if this is already a known issue or a
documented config exception but I couldn't find any reference to this.

I was trying to get unified2 merged logging working.  As part of our
troubleshooting, we upgraded to 2.9.4.6 and still saw this issue.  Snort
was generating snort.log files even though we had this output plugin
configured in snort.conf:

output unified2: filename snort.u2, limit 128

output alert_syslog: LOG_AUTH LOG_ALERT


They wouldn't being processed by barnyard (2-1.13) and pumped into the
database.

What I found was that we had a "-s" going in as a parameter when snort was
starting.  Removing the “-s” on the snort command line (it was in the
init.d script, which I'm not sure where it came from.  could have been
legacy which is what caused our trip up).  The -s is to log snort alerts to
syslog but that’s not required since we use the syslog output plugin in
snort.conf already.  The “-s” was apparently conflicting with the unified2
output plugin since we get snort.log files instead of the snort.u2 files.

Hopefully this is helpful to someone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130624/01c26c4c/attachment.html>


More information about the Snort-users mailing list