[Snort-users] Unable to get snort to output unified logs

waldo kitty wkitty42 at ...14940...
Fri Aug 22 18:05:27 EDT 2014

On 8/22/2014 1:17 PM, Khanh Tran wrote:
> Hello,
> I'm not sure what I'm doing wrong but snort consistently output pcap logs
> instead of unified2 format which is required by Barnyard2.
> Snort seems to ignore my unified output completely. Other outputs such as
> tcpdump, syslog and alerting worked fine. But my unified output line --> 'output
> unified2: filename snort.u2, limit 128' is completely ignored by snort. Even
> when this line is commented out, snort continues to generate snort.log.xxxx in
> pcap format. It seems to ignore output unified2 line completely.

what OS are you running snort on?

i ask because we've seen instances where folks on *nix thought they were running 
the snort binary but were, instead, running a wrapper script which had hardcoded 
options in it which overrode what they thought they were sending on the command 

the way around this is to always use the path to execute snort so that you 
/know/ that what you think you are running is actually what you are running...

eg: /usr/local/snort/bin/snort some command params here
     /etc/init.d/snort start

