Re: Snort not logging to unified2

[Sacher, Désirée <Desiree.Sacher () six-group com>]

Hi Todd

Thank you very much, that was it. Oo

-des

-----Original Message-----
From: Todd Wease [mailto:twease () sourcefire com] 
Sent: Mittwoch, 30. Januar 2013 15:52
To: Sacher, Désirée
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Snort not logging to unified2

On Wed, Jan 30, 2013 at 4:35 AM, Sacher, Désirée <Desiree.Sacher () six-group com> wrote:
> Hi all
>
>
>
> I have had snort distributed over 6 servers and about 30 interfaces 
> for a few years now. We recently upgraded to 2.9.3 and I’m still 
> trying to get
> barnyard2 to work with the logging to mysql. Now I’ve read of a few 
> people who have issues when using snort on several interfaces, that 
> the output is logged to pcap and not to unified2, which is what also happens here.
>
>
>
> Snort.conf is configured to log to unified2 (and syslog, but that part 
> works
> fine):
>
> output unified2: filename snort.u2, limit 128
>
> output alert_syslog: LOG_LOCAL7 LOG_WARNING LOG_NDELAY
>
>
>
> the file is written but in pcap and not u2.  (error when trying to 
> read it with u2spewfoo),
>
> it’s started up with the following attributes:
>
> snort     9485     1  0 09:41 ?        00:00:16 /usr/sbin/snort -s -D -i
> eth1 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth1
>
> snort     9495     1  0 09:41 ?        00:00:00 /usr/sbin/snort -s -D -i
> eth2 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort/eth2
>
>
>
>
>
> root@sensor:/var/log/snort/eth1# tcpdump -r snort.log.1359535265
>
> reading from file snort.log.1359535265, link-type EN10MB (Ethernet)
>
> 10:02:15.777196 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 25, 
> length 40
>
> 10:02:16.777892 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 26, 
> length 40
>
> 10:02:17.776212 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 27, 
> length 40
>
> 10:02:18.774413 IP 1.1.1.1 > 2.2.2.2: ICMP echo request, id 1, seq 28, 
> length 40
>
>
>
> Can someone point me to why this problem occurs and how to fix it? 
> Google didn’t help me yet and I couldn’t find the solution in old 
> mailing list entries.
>
>
>
> Thank you
>
> -des

Hi Désirée,

It looks like the '-s' on the command line is overriding the logging options you have in snort.conf and the '-l' on the 
command line is causing Snort to log to the pcap default.  Since you already have a line for syslog output in your 
snort.conf, you should be able to remove the '-s' on the command line and logging to both unified2 and syslog should 
work as expected.

Todd

The content of this e-mail is intended only for the confidential use of the person addressed. 
If you are not the intended recipient, please notify the sender and delete this email immediately.
Thank you.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!