Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard problem?

From: James <snort () cyclohexane net>
Date: Thu, 17 Dec 2015 15:57:11 +0000
Hi,

I tried the barnyard users mailing list but this one is a bit more
populated so I'm trying here too. I am attempting to run 16 instances of
snort which, via pf_ring, are monitoring 2 x 10Gb NIC's. That part is
working and Snort is logging to a unified2 file. This is in my snort.conf:

output unified2: filename merged.log, limit 1024, nostamp,
mpls_event_types, vlan_event_types

Snort is started via this command line (I'm simplifying to a single
instance here for debug purposes):

snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
/etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-0
--daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@0
,zc:eth5@0 --daq-var clusterid=0 --daq-var bindcpu=0

Within that log dir I see the merged.log file is created:

[ ~]$ sudo ls -l /logs/snort/eth4_eth5/instance-0
total 68
-rw-r--r-- 1 snort snort     0 Dec 16 11:22 bylog.waldo
-rw------- 1 snort snort 63957 Dec 16 15:43 merged.log
-rw------- 1 snort snort     6 Dec 16 11:23 snort_zc:eth4@0,zc:eth5 () 0 pid
-rwx------ 1 snort snort     0 Dec 16 11:23 snort_zc:eth4@0
,zc:eth5 () 0 pid lck

Barnyard is started via this command line:

barnyard2 -q -u snort -g snort -D -c /etc/snort/barnyard2.conf -d
/logs/snort/eth4_eth5/instance-0 -f merged.log -i eth4_eth5-0 -w
/logs/snort/eth4_eth5/instance-0/bylog.waldo

But, as you can see from the dir listing above, the bylog.waldo file
remains at 0 bytes and I receive no events at barnyards configured output
syslog server. I know alerts have been generated because Snort is also
(temporarily) set to log to syslog directly. Barnyard is definitely running
and /var/log/messages shows it is waiting for new spool file. It does warn
about a corrupt/truncated waldofile, but I gather from other forum posts
that is normal on first run. The u2spewfoo command shows the merged.log
file as being a valid file which contains events.

Any help would be very much appreciated.

Thanks
J.

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: