Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort output plugins using Barnyard.

From: Y M <snort () outlook com>
Date: Tue, 20 Sep 2016 20:39:33 +0000
If I understand correctly, you are using Barnayrd2 to parse u2 files generated by Snort into Syslog and db, correct?

If that's the case, then Snort does not need to be sending Syslog alert logs to the local facility. It is already 
outputing the logs in u2 format. In other words, it is simply writing u2 to disk irrelevant to the Barnyard2 process. 
Hence Snort should not stop running when Barnyard2 fails.

I guess what you mean is that Barnyard2 stops sending Syslog when the database connection fails. AFAIK, Barnyard2 has 
to be restarted to pick up again.

YM

_____________________________
From: fatema bannatwala <fatema.bannatwala () gmail com<mailto:fatema.bannatwala () gmail com>>
Sent: Tuesday, September 20, 2016 9:58 PM
Subject: [Snort-users] Snort output plugins using Barnyard.
To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>


Hi,

We have snort 2.9.7 up and running, with unified2 format output setup in snort.conf.
We also have barnyard2 configured to log the snort unified2 output in different formats.
We have two output plugins enabled in barnyard, one is to syslog to local1 facility  (output alert_syslog: LOG_INFO 
LOG_LOCAL1) and another one to log the alerts into a postgres DB (output database: log, postgresql, user=db_user 
password=some_password dbname=snorby host=host123.somedomain).

Recently we ran into an issue where snort stopped sending the syslog messages to local facility, when the other 
barnyard plugin ,i.e, database connection failed.
Hence my question is, does snort stop processing other output plugins as well, if any one of them fails in barnyard?
or is there any way to make sure the other output plugins still get processed if one of them fails?

Also, the order of the output plugins definition in barnyard2.conf is, first the syslog output is defined and at the 
end of the file database output plugin is defined.
Hence I was thinking that snort should have processed the syslog plugin and have sent the syslogs to local1, before 
processing the database plugin and finding out that it is not able to connect to the database.

Any suggestion/comment appreciated.

Thanks,
Fatema.



------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: