Re: Unable to configure unified2 output

[Todd Wease <twease () sourcefire com>]

On 03/30/2010 06:19 PM, Mike Lococo wrote:
> Greetings,
>
> I recently attempted to migrate to merged alert/log unified2 output
> using the following config:
>
>     output unified2: filename snort-unified2.log, limit 128
>
> When running this config I get snort.log.[epochtime] files instead of
> the snort-unified2.log.[epochtime] files that I expect.  The snort.log
> files are tcpdump formatted... not unified2.  It's not clear to my why
> this config doesn't work, it should be valid according to the manual and
> to many mailing-list examples.
>
> If I make a trivial change to the config above...
>
>     output log_unified2: filename snort-unified2.log, limit 128
>
> ... the tcpdump-formatted files are no longer created, and I do see
> snort-unified2.log.[epochtime] files as expected.  However, I'd like to
> have a "merged" unified2 log with both alert and log information in it
> as is specified in the previous "broken" config.
>
> If I run snort with no output-line configured at all, I get the same
> tcpdump-formatted snort.log files as I get with my broken unified2
> config, which makes me think that there is something causing my config
> line to be ignored and I'm falling through to a default.
>
> My initial configuration used the original unified "log" output and
> behaves as expected:
>
>     output log_unified: filename snort0.log, limit 128
>
> This created the expected snort0.log.[epochtime] files in
> /var/log/snort, and has worked well for quite some time.  I can switch
> back to this config now and it still works as expected, so I feel fairly
> confident in the rest of my snort config/infrastructure.
>
> Additional possibly relevant info:
> * I'm running the latest stable snort (2.8.5.3 - Build 124).
> * When running snort from the command line, I don't see any useful
> output printed to the screen in any of my test cases.  The only relevant
> line appears to be "Initializing Output Plugins!", which never changes
> or echoes the output configuration that is being initialized.
> * A similar problem was reported in the forum in November with no
> response:
> https://forums.snort.org/forums/snort-newbies/topics/problems-enabling-unified2-logging
>
> Does anyone have any ideas about what could be going wrong, or
> additional troubleshooting steps to take?  Since there's no error or
> problem indicator (other than failure to produce the desired logs) I'm
> not sure what to check next.
>
> Thanks,
> Mike Lococo
>    

Mike,

Can you post the command line you are using and your snort.conf so we 
can take a look?

Thanks,
Todd



------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users