[Snort-users] Barnyard problem?
snort at ...16635...
Fri Dec 18 06:22:41 EST 2015
Removing "nostamp, mpls_event_types, vlan_event_types" from the unified
output section of my snort.conf has fixed the problem. My guess is it was
the nostamp in particular since Snort is now outputting files named
filename.timestamp and that's what Barnyard was looking for rather than
On 17 December 2015 at 15:57, James <snort at ...16635...> wrote:
> I tried the barnyard users mailing list but this one is a bit more
> populated so I'm trying here too. I am attempting to run 16 instances of
> snort which, via pf_ring, are monitoring 2 x 10Gb NIC's. That part is
> working and Snort is logging to a unified2 file. This is in my snort.conf:
> output unified2: filename merged.log, limit 1024, nostamp,
> mpls_event_types, vlan_event_types
> Snort is started via this command line (I'm simplifying to a single
> instance here for debug purposes):
> snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
> /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-0
> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4 at ...183...
> ,zc:eth5 at ...183... --daq-var clusterid=0 --daq-var bindcpu=0
> Within that log dir I see the merged.log file is created:
> [ ~]$ sudo ls -l /logs/snort/eth4_eth5/instance-0
> total 68
> -rw-r--r-- 1 snort snort 0 Dec 16 11:22 bylog.waldo
> -rw------- 1 snort snort 63957 Dec 16 15:43 merged.log
> -rw------- 1 snort snort 6 Dec 16 11:23 snort_zc:eth4 at ...183...,zc:eth5 at ...17407...
> -rwx------ 1 snort snort 0 Dec 16 11:23 snort_zc:eth4 at ...183...
> ,zc:eth5 at ...17408...
> Barnyard is started via this command line:
> barnyard2 -q -u snort -g snort -D -c /etc/snort/barnyard2.conf -d
> /logs/snort/eth4_eth5/instance-0 -f merged.log -i eth4_eth5-0 -w
> But, as you can see from the dir listing above, the bylog.waldo file
> remains at 0 bytes and I receive no events at barnyards configured output
> syslog server. I know alerts have been generated because Snort is also
> (temporarily) set to log to syslog directly. Barnyard is definitely running
> and /var/log/messages shows it is waiting for new spool file. It does warn
> about a corrupt/truncated waldofile, but I gather from other forum posts
> that is normal on first run. The u2spewfoo command shows the merged.log
> file as being a valid file which contains events.
> Any help would be very much appreciated.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users