[Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0

Berndt, Achim aberndt at ...15761...
Sat Apr 22 07:29:52 EDT 2017


Hello,

that's my working config:

################################################################################
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename merged.log2, limit 128
output unified2: filename merged.log2, limit 128

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
# output alert_unified2: filename snort.alert2, limit 128
# output log_unified2: filename snort.log2, limit 128
# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config
#################################################################################

it generate following logfiles:
-> merged.log2 (unified2 format)

If I enable:
output unified2: filename merged.log2, limit 128
output alert_unified2: filename snort.alert2, limit 128
output log_unified2: filename snort.log2, limit 128
it generate following logfiles:
-> snort.alert2 (unified2 format)
-> snort.log2 (unified2 format)

If I enable:
output alert_unified2: filename snort.alert2, limit 128
output log_unified2: filename snort.log2, limit 128
it generate following logfiles:
-> alert (pcap format)
-> snort.log2 (unified2 format)

It seems, that the first entry will be ignored?!

Regards
Achim



-----Ursprüngliche Nachricht-----
Von: Russ [mailto:rucombs at ...589...] 
Gesendet: Freitag, 21. April 2017 15:09
An: Berndt, Achim <aberndt at ...15761...>; snort-users at lists.sourceforge.net
Betreff: Re: [Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0

What is in your conf on the preceding line?

On 4/21/17 6:26 AM, Berndt, Achim wrote:
> Hello,
>
> it works, if we put in the directive two times.
>
> output unified2: filename merged.u2, limit 128 output unified2: 
> filename merged.u2, limit 128
>
> it seems, that the first line will be ignored.
>
> Regards
> Achim
>
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list