[Snort-users] Barnyard problem?

James snort at ...16635...
Thu Dec 17 10:57:11 EST 2015


Hi,

I tried the barnyard users mailing list but this one is a bit more
populated so I'm trying here too. I am attempting to run 16 instances of
snort which, via pf_ring, are monitoring 2 x 10Gb NIC's. That part is
working and Snort is logging to a unified2 file. This is in my snort.conf:

output unified2: filename merged.log, limit 1024, nostamp,
mpls_event_types, vlan_event_types

Snort is started via this command line (I'm simplifying to a single
instance here for debug purposes):

snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
/etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-0
--daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4 at ...183...
,zc:eth5 at ...183... --daq-var clusterid=0 --daq-var bindcpu=0

Within that log dir I see the merged.log file is created:

[ ~]$ sudo ls -l /logs/snort/eth4_eth5/instance-0
total 68
-rw-r--r-- 1 snort snort     0 Dec 16 11:22 bylog.waldo
-rw------- 1 snort snort 63957 Dec 16 15:43 merged.log
-rw------- 1 snort snort     6 Dec 16 11:23 snort_zc:eth4 at ...183...,zc:eth5 at ...17407...
-rwx------ 1 snort snort     0 Dec 16 11:23 snort_zc:eth4 at ...183...
,zc:eth5 at ...17408...

Barnyard is started via this command line:

barnyard2 -q -u snort -g snort -D -c /etc/snort/barnyard2.conf -d
/logs/snort/eth4_eth5/instance-0 -f merged.log -i eth4_eth5-0 -w
/logs/snort/eth4_eth5/instance-0/bylog.waldo

But, as you can see from the dir listing above, the bylog.waldo file
remains at 0 bytes and I receive no events at barnyards configured output
syslog server. I know alerts have been generated because Snort is also
(temporarily) set to log to syslog directly. Barnyard is definitely running
and /var/log/messages shows it is waiting for new spool file. It does warn
about a corrupt/truncated waldofile, but I gather from other forum posts
that is normal on first run. The u2spewfoo command shows the merged.log
file as being a valid file which contains events.

Any help would be very much appreciated.

Thanks
J.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20151217/fba29d96/attachment.html>


More information about the Snort-users mailing list