[Snort-users] Unified logging doesn't work.

James Lay jlay at ...13475...
Mon Jun 9 17:19:55 EDT 2014


On 2014-06-09 15:16, Steve Crow wrote:
> In the /etc/sysconfig/snort file there is this:
>
> #### General Configuration
>
> # What interface should snort listen on?  [Pick only 1 of the next 
> 3!]
> # This is -i {interface} on the command line
> # This is the snort.conf config interface: {interface} directive
> # INTERFACE=eth0
> #
> # The following two options are not directly supported on the command 
> line
> # or in the conf file and assume the same Snort configuration for all
> # instances
> #
> # To listen on all interfaces use this:
> #INTERFACE=ALL
> #
> # To listen only on given interfaces use this:
> INTERFACE="eth0 eth1"
>
> -----------------
>
> I included the full text in a reply to Joel. I am considering
> changing this to ALL if Barnyard2 will work with a single unified 
> file
> that covers more than one interface. We're not a high bandwidth
> operation, so I don't think I need to configure separate processes 
> and
> configuration files for each interface.
>
> Steve

Well...I don't recognize the sysconfig file but I can tell you that:

snort --daq afpacket --daq-mode passive -i eth0:eth1

Work like a champ and create only one unified file.

James





More information about the Snort-users mailing list