Snort mailing list archives

Re: Barnyard syslog problem

From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Wed, 8 Jul 2009 16:06:05 -0600

/usr/local/bin/barnyard -c /etc/snort/barnyard-alert.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d 
/var/log/snort -f snort.alert -w /etc/snort/byalert.waldo -a /tmp/ &

________________________________
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: July 08, 2009 2:55 PM
To: Jefferson, Shawn
Cc: Snort Users
Subject: Re: [Snort-users] Barnyard syslog problem

We're probably going to need your barnyard command line as well.
On Wed, Jul 8, 2009 at 5:11 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
Hi,

I have Snort outputting in unified format, and two instances of Barnyard (version 0.20) running, one that sends the log 
data to BASE, and another that sends the alert data to a syslog server.  This was working perfectly until just 
recently, and I can't see what would be wrong.  I've recently updated to Snort 2.8.4.1, and of course Ubuntu OS patches.

Running tcpdump shows the OS syslog messages being sent to my syslog server, but nothing from barnyard.  Snort is 
creating the alert files, and barnyard seems to be processing them (the waldo file is being updated), but nothing comes 
out via syslog.

Snort config:
output alert_unified: filename snort.alert, limit 128

Barnyard config:
output alert_syslog2: severity: ALERT; syslog_host: 1.1.1.1;

--
Shawn Jefferson

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge
This is your chance to win up to $100,000 in prizes! For a limited time,
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize
details at: http://p.sf.net/sfu/Challenge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0d%0aSnort-users> list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974

------------------------------------------------------------------------------
Enter the BlackBerry Developer Challenge  
This is your chance to win up to $100,000 in prizes! For a limited time, 
vendors submitting new applications to BlackBerry App World(TM) will have
the opportunity to enter the BlackBerry Developer Challenge. See full prize  
details at: http://p.sf.net/sfu/Challenge

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Joel Esler (Jul 08)
  - Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
    - Re: Barnyard syslog problem Joel Esler (Jul 08)
    - Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
    - Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
    - Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
    - Re: Barnyard syslog problem Joel Esler (Jul 08)
    - Re: Barnyard syslog problem Skip Carter (Jul 08)
    - Re: Barnyard syslog problem firnsy (Jul 09)