Re: Unable to get snort to output unified logs

[Jeremy Hoel <jthoel () gmail com>]

Centos can also have defaults in the /etc/sysconfig/snort file. I would
check there for any defaults also.  Did you install via rpm or by source?
I am running 50+ snort sensors on centos, so I know it works fine, but I do
compile from source instead of using the rpm, but we can figure it out if
you want.


On Fri, Aug 22, 2014 at 11:04 PM, Khanh Tran <ktran () ktran com> wrote:

>  Hello,
>
>
> I'm running CentOS release 6.5 (Final):
>
> # uname -a
>
> 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64
> x86_64 x86_64 GNU/Linux
>
>
> I just tried your suggestion by executing snort using exact
> path...Unfortunately no luck. Going to rebuild this weekend and will try
> running snort on Ubuntu or Fedora. So strange...
>
> Thanks
>
>
> KT
>
>
>  On August 22, 2014 at 6:05 PM waldo kitty <wkitty42 () windstream net>
> wrote:
>
>
> On 8/22/2014 1:17 PM, Khanh Tran wrote:
> > Hello,
> >
> >
> > I'm not sure what I'm doing wrong but snort consistently output pcap logs
> > instead of unified2 format which is required by Barnyard2.
> >
> > Snort seems to ignore my unified output completely. Other outputs such as
> > tcpdump, syslog and alerting worked fine. But my unified output line -->
> 'output
> > unified2: filename snort.u2, limit 128' is completely ignored by snort.
> Even
> > when this line is commented out, snort continues to generate
> snort.log.xxxx in
> > pcap format. It seems to ignore output unified2 line completely.
>
> what OS are you running snort on?
>
> i ask because we've seen instances where folks on *nix thought they were
> running
> the snort binary but were, instead, running a wrapper script which had
> hardcoded
> options in it which overrode what they thought they were sending on the
> command
> line...
>
> the way around this is to always use the path to execute snort so that you
> /know/ that what you think you are running is actually what you are
> running...
>
> eg: /usr/local/snort/bin/snort some command params here
> /etc/init.d/snort start
>
> --
> NOTE: No off-list assistance is given without prior approval.
> Please *keep mailing list traffic on the list* unless
> private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds. Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!