Snort mailing list archives
Re: can't log to merged.log file in unified2 format in Version 2.9.9.0
From: Marcin Dulak <marcin.dulak () gmail com>
Date: Mon, 10 Apr 2017 17:03:40 +0200
I'm the message forwarding back to the list. On Mon, Apr 10, 2017 at 4:55 PM, Berndt, Achim <aberndt () studio-hamburg de> wrote:
Hello Marcin, I have deleted all files in /var/log/snort, before I started snort again. It seems, that snort doesn’t accept the option “output unified2: filename merged.u2, limit 128, nostamp”. Snort writes to 2 other filenames, “snort.log.timestamp” and “alert”, in the pcap format. Only if I activate the option “output log_unified2: filename snort.u2, limit 128, nostamp” Snort writes in unified2 format. But unfortunately not the combined version. Regards Achim *Von:* Marcin Dulak [mailto:marcin.dulak () gmail com] *Gesendet:* Montag, 10. April 2017 13:10 *An:* Berndt, Achim <aberndt () studio-hamburg de> *Cc:* snort-users () lists sourceforge net *Betreff:* Re: [Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0 On Mon, Apr 10, 2017 at 11:58 AM, Berndt, Achim <aberndt () studio-hamburg de> wrote: Hello, I have a problem to activate logging to merged.log file in unified2 format, but not with separated logfiles snort.alert and snort.u2?! It worked with the same config in Version 2.9.8.3 with no problems. Snort started with following options: ? /usr/sbin/snort -d -D -i eth4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort Config setup for merged logfile: ? output unified2: filename merged.u2, limit 128, nostamp ? generate 2 files (alert, snort.log.timestamp) in pcap format this is surprising - are you sure these files are not from a previous run or due some other output options are active in snort.conf in addition to "output unified2"? Do you need both alerts + payloads in merged.u2 or only alerts? If the latter then -N command line switch is needed when starting snort. Note that snort.conf alone is not sufficient for controlling the output options - the -y and -N command line switches also have an effect on what log files are generated. Marcin Config for separated logfiles: ? output alert_unified2: filename snort.alert, limit 128, nostamp ? output log_unified2: filename snort.u2, limit 128, nostamp ? generate 2 files (snort.alert, snort.u2) in unified2 format Any ideas? Regards Achim ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- can't log to merged.log file in unified2 format in Version 2.9.9.0 Berndt, Achim (Apr 10)
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Marcin Dulak (Apr 10)
- Message not available
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Marcin Dulak (Apr 10)
- Message not available
- Message not available
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Berndt, Achim (Apr 21)
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Russ (Apr 21)
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Berndt, Achim (Apr 22)
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Berndt, Achim (Apr 23)
- Re: can't log to merged.log file in unified2 format in Version 2.9.9.0 Marcin Dulak (Apr 10)