Snort mailing list archives
Snort 3 output to linux journal is buffered?
From: "Neville, Andrew via Snort-devel" <snort-devel () lists snort org>
Date: Mon, 7 Nov 2022 15:08:59 +0000
Hi, I'm looking for some help with a slightly odd behaviour we see when running Snort 3 as a systemd service. When Snort3 is started from a simple systemd service definition it does not immediately show its normal full startup information into the journal. I'm expecting approximately 300 lines ending with "Commencing packet processing" and then the list of interfaces its monitoring, but I don't get all lines - only around 230 ish lines. The only way to get the remaining output seems to be to make Snort write something else to the journal, like send it a USR1 signal. And actually, in response to the USR1 signal again we see only some of the USR1 runtime information is written to the journal. We have to send the USR1 signal twice in order to make sure we immediately get all the output from the first signal. When running Snort in the foreground, all the expected output is displayed to the terminal immediately. Similarly, starting Snort3 at the command line, but putting it into the background, still allows all the startup and USR1 information to display fully. The most recent test I've tried is with Snort3 compiled on a basic CentOS 8 stream VM, following the guide from the snort.org, with a really vanilla configuration as far as I can tell (registered rules were loaded). snort -V ,,_ -*> Snort++ <*- o" )~ Version 3.1.43.0 '''' By Martin Roesch & The Snort Team http://snort.org/contact#team Copyright (C) 2014-2022 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using DAQ version 3.0.9 Using LuaJIT version 2.1.0-beta3 Using OpenSSL 1.1.1k FIPS 25 Mar 2021 Using libpcap version 1.9.1 (with TPACKET_V3) Using PCRE version 8.42 2018-03-20 Using ZLIB version 1.2.11 Using Hyperscan version 5.3.0 2020-08-10 Using LZMA version 5.2.4 As far as I know this behaviour is not as a result of any journald configuration (I just have the default) and we have seen the same behaviour with Alma and Ubuntu too. Anyone have any pointers please?? Thanks, Andrew. Andrew Neville Defence & National Security Fujitsu Jays Close, Viables Industrial Estate, Basingstoke, Hampshire, RG22 4BY Email: andrew.neville () fujitsu co uk<mailto:andrew.neville () fujitsu co uk> [cid:image001.jpg@01D8F2BA.E208B550]<https://www.fujitsu.com/uk/solutions/industry/defence-national-security/> Unless otherwise stated, this email has been sent from Fujitsu Services Limited (registered in England No 96056); Fujitsu EMEA PLC (registered in England No 2216100) both with registered offices at: 22 Baker Street, London W1U 3BW; PFU (EMEA) Limited, (registered in England No 1578652) registered offices at: Belmont, Belmont Road, Uxbridge, England, UB8 1HE and Fujitsu Research of Europe Ltd (registered in England No. 4153469) 4th Floor, Building 3, Hyde Park Hayes, 11 Millington Road, Hayes, UB3 4AZ. This email is only for the use of its intended recipient. Its contents are subject to a duty of confidence and may be privileged. Fujitsu does not guarantee that this email has not been intercepted and amended or that it is virus-free.
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort 3 output to linux journal is buffered? Neville, Andrew via Snort-devel (Nov 07)
- Re: Snort 3 output to linux journal is buffered? Adrian Mamolea (admamole) via Snort-devel (Nov 08)
- Re: Snort 3 output to linux journal is buffered? Neville, Andrew via Snort-devel (Nov 14)
- Re: Snort 3 output to linux journal is buffered? Adrian Mamolea (admamole) via Snort-devel (Nov 08)