unified2 merged logging does not work properly when the -s command line parameter

[Jonathan Kobrick <kobo500 () gmail com>]

I wanted to share this finding with the group in case others have hit this
issue.  Apologies in advance if this is already a known issue or a
documented config exception but I couldn't find any reference to this.

I was trying to get unified2 merged logging working.  As part of our
troubleshooting, we upgraded to 2.9.4.6 and still saw this issue.  Snort
was generating snort.log files even though we had this output plugin
configured in snort.conf:

output unified2: filename snort.u2, limit 128

output alert_syslog: LOG_AUTH LOG_ALERT


They wouldn't being processed by barnyard (2-1.13) and pumped into the
database.

What I found was that we had a "-s" going in as a parameter when snort was
starting.  Removing the “-s” on the snort command line (it was in the
init.d script, which I'm not sure where it came from.  could have been
legacy which is what caused our trip up).  The -s is to log snort alerts to
syslog but that’s not required since we use the syslog output plugin in
snort.conf already.  The “-s” was apparently conflicting with the unified2
output plugin since we get snort.log files instead of the snort.u2 files.

Hopefully this is helpful to someone.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!