[Snort-users] event id = 0 on all unified2 events

Eugenio Pérez eupm90 at ...11827...
Thu Feb 6 07:56:50 EST 2014


Hi everyone.

I've just installed snort and I'm seeing that all events in the unified2
file have the event id field set to 0.

I've check the rules, and they have all a sid != 0, and I've configured the
snort.conf unified output plugin like this:

output unified2: filename snort.log, limit 128

The same snort installation runs fine in others machines. So, under what
circumstances this field is set to 0? Where I should look to get the event
id field filled?

BTW, I'm using the snort version 2.9.4.0.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140206/171d6463/attachment.html>


More information about the Snort-users mailing list