Snort mailing list archives
Re: Barnyard syslog problem
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 8 Jul 2009 20:30:26 -0400
Ah, I didn't understand that you were trying to process the log AND the alert files with two separate barnyards. I don't think it's possible to monitor both files with one instance of barnyard. But you can output in two methods from one running process of Barnyard, which is what I was trying to get across. Joel On Wed, Jul 8, 2009 at 6:54 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote:
Looking into running two output plugins (one for alert and one for log unified files) with one barnyard instance, and the configuration allows me to specifc both, and testing with –R shows both, but how does the bookmark file work in this scenario? Any barnyard experts know? Do you have to run two instances if you want to process both the alert and log unified files with barnyard? The bookmark file looks like this (for my alert barnyard): /var/log/snort snort.alert 1246658739 205 Thanks, Shawn ------------------------------ *From:* Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] *Sent:* July 08, 2009 3:27 PM *To:* Joel Esler *Cc:* Snort Users *Subject:* Re: [Snort-users] Barnyard syslog problem Hi Joel, I’m using two separate waldo files, and I was also under the impression that you HAVE to run two separate barnyard instances if you want to do what I am trying to do (send log to BASE and send alert to syslog). Do you know differently? (I did try it originally it it didn’t work.) ------------------------------ *From:* Joel Esler [mailto:jesler () sourcefire com] *Sent:* July 08, 2009 3:21 PM *To:* Jefferson, Shawn *Cc:* Snort Users *Subject:* Re: [Snort-users] Barnyard syslog problem On Wed, Jul 8, 2009 at 6:06 PM, Jefferson, Shawn < Shawn.Jefferson () bcferries com> wrote: /usr/local/bin/barnyard -c /etc/snort/barnyard-alert.conf -g /etc/snort/gen-msg.map -s /etc/snort/sid-msg.map -d /var/log/snort -f snort.alert -w /etc/snort/byalert.waldo -a /tmp/ & <Shot in the dark to eliminate stupid things> Are you using the same waldo file for both barnyard instances? Wait, why are you running two barnyards? use one. The one that works. J -- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974 -- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
-- joel esler | Sourcefire | AIM: eslerjoel | 302-223-5974
------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Joel Esler (Jul 08)
- Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Joel Esler (Jul 08)
- Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Joel Esler (Jul 08)
- Re: Barnyard syslog problem Skip Carter (Jul 08)
- Re: Barnyard syslog problem firnsy (Jul 09)
- Re: Barnyard syslog problem Jefferson, Shawn (Jul 08)
- Re: Barnyard syslog problem Joel Esler (Jul 08)