Snort mailing list archives
Re[4]: unified format
From: Igor Belikov <ivb () is ua>
Date: Fri, 19 Aug 2005 14:41:55 +0300
Hello Roland, Friday, August 19, 2005, 1:50:11 PM, you wrote:
When I run barnyard to monitor unified log - no events stored in DB. Please, anybody can help me to configure barnyard?
RTS> At this point, we probably need to see your snort and barnyard RTS> configuration files. - >8 - - >8 - - >8 - part of snort.conf - >8 - - >8 - - >8 - output alert_unified: filename snort.alert, limit 128 output log_unified: filename snort.log, limit 128 - >8 - - >8 - - >8 - part of snort.conf - >8 - - >8 - - >8 - - >8 - - >8 - - >8 - part of barnyard.conf - >8 - - >8 - - >8 - output alert_acid_db: mysql, sensor_id 1, database snort, server xxxx, user xxxx, password xxxx output log_acid_db: mysql, sensor_id 1, database snort, server xxxx, user xxxx, password xxxx, detail full - >8 - - >8 - - >8 - part of barnyard.conf - >8 - - >8 - - >8 - - >8 - - >8 - - >8 - part of running script - >8 - - >8 - - >8 - SNORT_BIN=/usr/local/snort/bin/snort SNORT_CONF=/usr/local/snort/etc/snort.conf SNORT_LOG=/var/log/snort BARNYARD_BIN=/usr/local/barnyard/bin/barnyard BARNYARD_CONF=/usr/local/barnyard/etc/barnyard.conf startproc $SNORT_BIN -d -D -i any -l $SNORT_LOG -c $SNORT_CONF startproc $BARNYARD_BIN -D -c $BARNYARD_CONF -d $SNORT_LOG -f snort.alert -w $SNORT_LOG/barnyard.waldo - >8 - - >8 - - >8 - part of running script - >8 - - >8 - - >8 - (-g, -s and -p in barnyard cmdline are omitted in above example) When I use "-f snort.alert" - I get alert events in DB, but don't get payload. When I use "-f snort.log" - I don't get alert events in DB. -- Best regards, Igor mailto:ivb () is ua ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- unified format Igor Belikov (Aug 18)
- <Possible follow-ups>
- Re: unified format Roland Turner (SourceForge) (Aug 19)
- Re[2]: unified format Igor Belikov (Aug 19)
- Re: Re[2]: unified format Roland Turner (SourceForge) (Aug 19)
- Re[4]: unified format Igor Belikov (Aug 19)
- Re: Re[4]: unified format Roland Turner (SourceForge) (Aug 19)
- Message not available
- Fwd: Re[4]: unified format Bamm Visscher (Aug 19)
- Re: Fwd: Re[4]: unified format Igor Belikov (Aug 22)
- Message not available