Re: Barnyard problem?

[James <snort () cyclohexane net>]

Removing "nostamp, mpls_event_types, vlan_event_types" from the unified
output section of my snort.conf has fixed the problem. My guess is it was
the nostamp in particular since Snort is now outputting files named
filename.timestamp and that's what Barnyard was looking for rather than
just filename.

On 17 December 2015 at 15:57, James <snort () cyclohexane net> wrote:

> Hi,
>
> I tried the barnyard users mailing list but this one is a bit more
> populated so I'm trying here too. I am attempting to run 16 instances of
> snort which, via pf_ring, are monitoring 2 x 10Gb NIC's. That part is
> working and Snort is logging to a unified2 file. This is in my snort.conf:
>
> output unified2: filename merged.log, limit 1024, nostamp,
> mpls_event_types, vlan_event_types
>
> Snort is started via this command line (I'm simplifying to a single
> instance here for debug purposes):
>
> snort -q -u snort -g snort --pid-path /var/run --create-pidfile -D -c
> /etc/snort/snort.conf -l /logs/snort/eth4_eth5/instance-0
> --daq-dir=/usr/local/lib/daq --daq pfring_zc --daq-mode passive -i zc:eth4@0
> ,zc:eth5@0 --daq-var clusterid=0 --daq-var bindcpu=0
>
> Within that log dir I see the merged.log file is created:
>
> [ ~]$ sudo ls -l /logs/snort/eth4_eth5/instance-0
> total 68
> -rw-r--r-- 1 snort snort     0 Dec 16 11:22 bylog.waldo
> -rw------- 1 snort snort 63957 Dec 16 15:43 merged.log
> -rw------- 1 snort snort     6 Dec 16 11:23 snort_zc:eth4@0,zc:eth5 () 0 pid
> -rwx------ 1 snort snort     0 Dec 16 11:23 snort_zc:eth4@0
> ,zc:eth5 () 0 pid lck
>
> Barnyard is started via this command line:
>
> barnyard2 -q -u snort -g snort -D -c /etc/snort/barnyard2.conf -d
> /logs/snort/eth4_eth5/instance-0 -f merged.log -i eth4_eth5-0 -w
> /logs/snort/eth4_eth5/instance-0/bylog.waldo
>
> But, as you can see from the dir listing above, the bylog.waldo file
> remains at 0 bytes and I receive no events at barnyards configured output
> syslog server. I know alerts have been generated because Snort is also
> (temporarily) set to log to syslog directly. Barnyard is definitely running
> and /var/log/messages shows it is waiting for new spool file. It does warn
> about a corrupt/truncated waldofile, but I gather from other forum posts
> that is normal on first run. The u2spewfoo command shows the merged.log
> file as being a valid file which contains events.
>
> Any help would be very much appreciated.
>
> Thanks
> J.
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!