[Snort-users] Problem with unified2 files
jmdlinux at gmail.com
Mon May 7 22:57:46 EDT 2018
I am running into the following problem. Now I do realize
that this is a problem that has been seen before. I am still looking
through the archives trying to find a solution. I have seen one reference
to the problem but no solution was posted !!
The following is what I have
: RHEL7 , barnyard2-2-1.13, and Snort 18.104.22.168 GRE (Build 268). I have
built the exact setup on another RHEL7 server with all the same versions of
above listed software and did not have this problem.
Here is my current problem when starting barnyard2 I will see the following
warnings being reported in the journal:
[ Can't extract timestamp extension from 'unified2.15247xxxxx' using base
'unified' ] This warning cycles continually through listing the same
unified2 logs. I know that the snort.conf setting of 'nostamp' will usually
specify no time stamp but here is my snort.conf setting:
[ output unified2: filename /var/log/snort/unified2, limit 10 ]
I have deleted the older unified2 files prior to bringing up barnyard2
since they were a week or so old. I am also not seeing the waldo file being
created I have tried doing a touch /var/log/snort/barnyard2_waldo gave it
correct permissions ..I see a warning in the journal stating the waldo file
is truncated or corrupt...
I have noticed that the unified2 files are zero length so I am wondering if
this is why the waldo file is not being created. I've looked at the
interface an there is plenty of traffic going across it ...
I apologize if I am stating a known issue ...I'd appreciate anything anyone
can tell me to steer me in the right direction..
Thank You and Best
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users