Re: can't log to merged.log file in unified2 format in Version 2.9.9.0

["Berndt, Achim" <aberndt () studio-hamburg de>]

Hello,

ok, it's my fault.
I have disabled the blacklist directive in the preceding line
and forgot to delete ", \".
   whitelist $WHITE_LIST_PATH/white_list.rules,  \
#   blacklist $BLACK_LIST_PATH/black_list.rules
Apologies for the wasted time.

Regards
Achim


-----Ursprüngliche Nachricht-----
Von: Berndt, Achim 
Gesendet: Samstag, 22. April 2017 13:30
An: 'Russ' <rucombs () cisco com>; snort-users () lists sourceforge net
Betreff: AW: [Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0

Hello,

that's my working config:

################################################################################
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types output unified2: 
filename merged.log2, limit 128 output unified2: filename merged.log2, limit 128

# Additional configuration for specific types of installs # output alert_unified2: filename snort.alert, limit 128, 
nostamp # output log_unified2: filename snort.log, limit 128, nostamp # output alert_unified2: filename snort.alert2, 
limit 128 # output log_unified2: filename snort.log2, limit 128 # syslog # output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines include classification.config include reference.config 
#################################################################################

it generate following logfiles:
-> merged.log2 (unified2 format)

If I enable:
output unified2: filename merged.log2, limit 128 output alert_unified2: filename snort.alert2, limit 128 output 
log_unified2: filename snort.log2, limit 128 it generate following logfiles:
-> snort.alert2 (unified2 format)
-> snort.log2 (unified2 format)

If I enable:
output alert_unified2: filename snort.alert2, limit 128 output log_unified2: filename snort.log2, limit 128 it generate 
following logfiles:
-> alert (pcap format)
-> snort.log2 (unified2 format)

It seems, that the first entry will be ignored?!

Regards
Achim



-----Ursprüngliche Nachricht-----
Von: Russ [mailto:rucombs () cisco com]
Gesendet: Freitag, 21. April 2017 15:09
An: Berndt, Achim <aberndt () studio-hamburg de>; snort-users () lists sourceforge net
Betreff: Re: [Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0

What is in your conf on the preceding line?

On 4/21/17 6:26 AM, Berndt, Achim wrote:
> Hello,
>
> it works, if we put in the directive two times.
>
> output unified2: filename merged.u2, limit 128 output unified2: 
> filename merged.u2, limit 128
>
> it seems, that the first line will be ignored.
>
> Regards
> Achim
>
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!