[Snort-users] Unable to get snort to output unified logs

Jeremy Hoel jthoel at ...11827...
Fri Aug 22 19:10:57 EDT 2014


Centos can also have defaults in the /etc/sysconfig/snort file. I would
check there for any defaults also.  Did you install via rpm or by source?
I am running 50+ snort sensors on centos, so I know it works fine, but I do
compile from source instead of using the rpm, but we can figure it out if
you want.


On Fri, Aug 22, 2014 at 11:04 PM, Khanh Tran <ktran at ...16949...> wrote:

>  Hello,
>
>
> I'm running CentOS release 6.5 (Final):
>
> # uname -a
>
> 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64
> x86_64 x86_64 GNU/Linux
>
>
> I just tried your suggestion by executing snort using exact
> path...Unfortunately no luck. Going to rebuild this weekend and will try
> running snort on Ubuntu or Fedora. So strange...
>
> Thanks
>
>
> KT
>
>
>  On August 22, 2014 at 6:05 PM waldo kitty <wkitty42 at ...14940...>
> wrote:
>
>
> On 8/22/2014 1:17 PM, Khanh Tran wrote:
> > Hello,
> >
> >
> > I'm not sure what I'm doing wrong but snort consistently output pcap logs
> > instead of unified2 format which is required by Barnyard2.
> >
> > Snort seems to ignore my unified output completely. Other outputs such as
> > tcpdump, syslog and alerting worked fine. But my unified output line -->
> 'output
> > unified2: filename snort.u2, limit 128' is completely ignored by snort.
> Even
> > when this line is commented out, snort continues to generate
> snort.log.xxxx in
> > pcap format. It seems to ignore output unified2 line completely.
>
> what OS are you running snort on?
>
> i ask because we've seen instances where folks on *nix thought they were
> running
> the snort binary but were, instead, running a wrapper script which had
> hardcoded
> options in it which overrode what they thought they were sending on the
> command
> line...
>
> the way around this is to always use the path to execute snort so that you
> /know/ that what you think you are running is actually what you are
> running...
>
> eg: /usr/local/snort/bin/snort some command params here
> /etc/init.d/snort start
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please *keep mailing list traffic on the list* unless
> private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140822/39d3d595/attachment.html>


More information about the Snort-users mailing list