Snort mailing list archives
Re: barnyard not reading log files
From: Rajesh G S <rajeshgs () tevatel com>
Date: Thu, 5 Nov 2015 20:53:31 +0530
this is the output of barnyard2, barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -g snort -u snort Running in Continuous mode --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "/etc/snort/barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] Log directory = /var/log/barnyard2 INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second [CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize informations found in the database database: compiled support for (mysql) database: configured to use mysql database: schema version = 107 database: host = localhost database: user = snort database: database name = snort database: sensor name = snort:NULL database: sensor id = 1 database: sensor cid = 11 database: data encoding = hex database: detail level = full database: ignore_bpf = no database: using the "log" facility --== Initialization Complete ==-- ______ -*> Barnyard2 <*- / ,,_ \ Version 2.1.14 (Build 336) |o" )~| By Ian Firns (SecurixLive): http://www.securixlive.com/ + '''' + (C) Copyright 2008-2013 Ian Firns <firnsy () securixlive com> Using waldo file '/var/log/snort/barnyard2.waldo': spool directory = /var/log/snort spool filebase = snort.u2 time_stamp = 1446725542 record_idx = 20 Opened spool file '/var/log/snort/snort.u2.1446725542' Waiting for new data ^C*** Caught Int-Signal Barnyard2 exiting database: Closing connection to database "snort" =============================================================================== Record Totals: Records: 20 Events: 10 (50.000%) Packets: 10 (50.000%) Unknown: 0 (0.000%) Suppressed: 0 (0.000%) =============================================================================== Packet breakdown by protocol (includes rebuilt packets): ETH: 10 (100.000%) ETHdisc: 0 (0.000%) VLAN: 0 (0.000%) IPV6: 0 (0.000%) IP6 EXT: 0 (0.000%) IP6opts: 0 (0.000%) IP6disc: 0 (0.000%) IP4: 10 (100.000%) IP4disc: 0 (0.000%) TCP 6: 0 (0.000%) UDP 6: 0 (0.000%) ICMP6: 0 (0.000%) ICMP-IP: 0 (0.000%) TCP: 0 (0.000%) UDP: 0 (0.000%) ICMP: 10 (100.000%) TCPdisc: 0 (0.000%) UDPdisc: 0 (0.000%) ICMPdis: 0 (0.000%) FRAG: 0 (0.000%) FRAG 6: 0 (0.000%) ARP: 0 (0.000%) EAPOL: 0 (0.000%) ETHLOOP: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) DISCARD: 0 (0.000%) InvChkSum: 0 (0.000%) S5 G 1: 0 (0.000%) S5 G 2: 0 (0.000%) Total: 10 =============================================================================== Closing spool file '/var/log/snort/snort.u2.1446725542'. Read 20 records in which i very much concerned about the line [CacheSynchronize()],INFO: No system was found in cache (from signature map file), will not process or synchronize informations found in the database I don't know why it comes,can anyone guide me? thanks, with regards, rajesh saibaba. On Thu, Nov 5, 2015 at 8:46 PM, Rajesh G S <rajeshgs () tevatel com> wrote:
Hi all, I am trying to run snort as ids, i can see log files each time being created when i testing snort but barnyard2 reads only the very first time created log file.It skips the other alert cache. [root@snort ~]# ll /var/log/snort/ total 36 -rw-r--r-- 1 snort snort 2056 Nov 5 17:46 barnyard2.waldo -rw------- 1 snort snort 366 Nov 5 17:45 snort.log.1446725727 -rw------- 1 snort snort 384 Nov 5 17:47 snort.log.1446725842 -rw------- 1 snort snort 822 Nov 5 18:00 snort.log.1446726642 -rw------- 1 snort snort 936 Nov 5 20:06 snort.log.1446734162 -rw------- 1 snort snort 822 Nov 5 20:07 snort.log.1446734225 -rw------- 1 snort snort 708 Nov 5 20:07 snort.log.1446734260 -rw------- 1 snort snort 1050 Nov 5 20:32 snort.log.1446735742 -rw------- 1 snort snort 1940 Nov 5 17:42 snort.u2.1446725542 every time testing the snort it can able to show alerts but there is no rise in the size of count.the count keep on show me as 10. [root@snort ~]# mysql -u snort -p -D snort -e "select count(*) from event"Enter password: +----------+ | count(*) | +----------+ | 10 | +----------+ i think that there is no entry been made on to the mysql database,i am not sure and i have no clue about it.so does anyone can help me? thanks, with regards.
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- barnyard not reading log files Rajesh G S (Nov 05)
- Re: barnyard not reading log files Rajesh G S (Nov 05)
- <Possible follow-ups>
- Re: barnyard not reading log files Rajesh G S (Nov 05)