Re: Snort not logging to unified2

[Todd Wease <twease () sourcefire com>]

On Wed, Jan 30, 2013 at 4:35 AM, Sacher, Désirée
<Desiree.Sacher () six-group com> wrote:
> Hi all
>
>
>
> I have had snort distributed over 6 servers and about 30 interfaces for a
> few years now. We recently upgraded to 2.9.3 and I’m still trying to get
> barnyard2 to work with the logging to mysql. Now I’ve read of a few people
> who have issues when using snort on several interfaces, that the output is
> logged to pcap and not to unified2, which is what also happens here.
>
>
>
> Snort.conf is configured to log to unified2 (and syslog, but that part works
> fine):
>
> output unified2: filename snort.u2, limit 128
>
> output alert_syslog: LOG_LOCAL7 LOG_WARNING LOG_NDELAY
>
>
>
> the file is written but in pcap and not u2.  (error when trying to read it
> with u2spewfoo),
>
> it’s started up with the following attributes:
>
> snort     9485     1  0 09:41 ?        00:00:16 /usr/sbin/snort -s -D -i
> eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
>
> snort     9495     1  0 09:41 ?        00:00:00 /usr/sbin/snort -s -D -i
> eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
>
>
>
>
>
> root@sensor:/var/log/snort/eth1# tcpdump -r snort.log.1359535265
>
> reading from file snort.log.1359535265, link-type EN10MB (Ethernet)
>
> 10:02:15.777196 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 25,
> length 40
>
> 10:02:16.777892 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 26,
> length 40
>
> 10:02:17.776212 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 27,
> length 40
>
> 10:02:18.774413 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 28,
> length 40
>
>
>
> Can someone point me to why this problem occurs and how to fix it? Google
> didn’t help me yet and I couldn’t find the solution in old mailing list
> entries.
>
>
>
> Thank you
>
> -des

Hi Désirée,

It looks like the '-s' on the command line is overriding the logging
options you have in snort.conf and the '-l' on the command line is
causing Snort to log to the pcap default.  Since you already have a
line for syslog output in your snort.conf, you should be able to
remove the '-s' on the command line and logging to both unified2 and
syslog should work as expected.

Todd

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!