Snort mailing list archives
Re: Barnyard2 conf syntax for syslog
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 4 Sep 2009 16:58:51 -0600
I'm running barnyard2 2.1.6 on Ubuntu 8.04. Testing my config with -T starts it up fine, no errors on the console, but that warning message appears in the daemon.log. -----Original Message----- From: Paul Schmehl [mailto:pschmehl_lists () tx rr com] Sent: Friday, September 04, 2009 3:54 PM To: Jefferson, Shawn; snort-users () lists sourceforge net Subject: RE: [Snort-users] Barnyard2 conf syntax for syslog Should have asked you this long ago - what version of barnyard2 are you running? I just tested this: output alert_syslog: host=ipaddress LOG_AUTH LOG_INFO and barnyard2 starts fine. Then I tested this: output alert_syslog: host=ipaddress:port LOG_AUTH LOG_INFO Barnyard2 still starts fine. No errors. I'm running 1.6 on FreeBSD 7.2 amd64. --On Friday, September 04, 2009 16:32:31 -0500 "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:
Doh, sorry both ip addresses are 172.16.8.196... I meant to change them both to 1.1.1.1, but there's no point to trying to hide those details now. :) -----Original Message----- From: Jefferson, Shawn [mailto:Shawn.Jefferson () bcferries com] Sent: Friday, September 04, 2009 2:24 PM To: Paul Schmehl; snort-users () lists sourceforge net Subject: Re: [Snort-users] Barnyard2 conf syntax for syslog Really? When I try that (with an ip address not a hostname), I get this message in the daemon.log: Sep 4 14:18:22 bcfids02 barnyard2: WARNING => Unrecognized syslog facility/priority: 1.1.1.1 My output line in the barnyard2.conf file is: output alert_syslog: 172.16.8.196 LOG_AUTH LOG_INFO I even tried LOG_AUTH_LOG_INFO like in your email, which I think is a type, but it didn't work either (same message in the daemon.log). -----Original Message----- From: Paul Schmehl [mailto:pschmehl_lists () tx rr com] Sent: Friday, September 04, 2009 1:43 PM To: Jefferson, Shawn; snort-users () lists sourceforge net Subject: RE: [Snort-users] Barnyard2 conf syntax for syslog Yes, I did mean colon, not semi-colon. I tested that config on my sensor, and it worked fine. IOW, "output alert_syslog: hostname.utdallas.edu LOG_AUTH_LOG_INFO" worked for me. Note that there are no commas separating the values of the various attributes, just spaces. I tested this on a working install of barnyard2 on amd64 FreeBSD 7.2. --On Friday, September 04, 2009 14:21:04 -0500 "Jefferson, Shawn" <Shawn.Jefferson () bcferries com> wrote:That was just a typo in my email, I have the colon (you mean colon not semi-colon right?) in the conf file.-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users # " This e-mail and any attached documents may contain confidential or proprietary information. If you are not the intended recipient, please advise the sender immediately and delete this e-mail and all attached documents from your computer system. Any unauthorised disclosure, distribution or copying hereof is prohibited." " Ce courriel et les documents qui y sont attaches peuvent contenir des informations confidentielles. Si vous n'etes pas le destinataire escompte, merci d'en informer l'expediteur immediatement et de detruire ce courriel ainsi que tous les documents attaches de votre systeme informatique. Toute divulgation, distribution ou copie du present courriel et des documents attaches sans autorisation prealable de son emetteur est interdite."
-- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Message not available
- Message not available
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog firnsy (Sep 07)
- Re: Barnyard2 conf syntax for syslog Paul Schmehl (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)
- Re: Barnyard2 conf syntax for syslog Jefferson, Shawn (Sep 07)