[Snort-users] Unified logging doesn't work.

Joel Esler (jesler) jesler at ...589...
Mon Jun 9 16:26:24 EDT 2014

Are you staring Snort with a script?


$snort start
[ OK ]

type of thing?

If so, the script may be setting it’s own logging method on the command line (which overrides the snort.conf)

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Jun 9, 2014, at 4:19 PM, Steve Crow <scrow at ...16818...<mailto:scrow at ...391...6818...>> wrote:

I am having a similar issue. I am trying to monitor two interfaces.

I have the snort.conf output setup like this:
output unified2: filename merged.log, limit 128,

But I have alert files showing up in each interface directory in plain text.

The /etc/sysconfig/snort file seems to be controlling this, but I don't see
an option for output using unified2 in the sysconfig/snort file, or for
having a merged.log for both interfaces that I can monitor.

Doing a search doesn’t reveal a merged.log either.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140609/27f7826f/attachment.html>

More information about the Snort-users mailing list