Re: can't log to merged.log file in unified2 format in Version 2.9.9.0

["Berndt, Achim" <aberndt () studio-hamburg de>]

Hello,

that's my working config:

################################################################################
# unified2
# Recommended for most installs
# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
output unified2: filename merged.log2, limit 128
output unified2: filename merged.log2, limit 128

# Additional configuration for specific types of installs
# output alert_unified2: filename snort.alert, limit 128, nostamp
# output log_unified2: filename snort.log, limit 128, nostamp
# output alert_unified2: filename snort.alert2, limit 128
# output log_unified2: filename snort.log2, limit 128
# syslog
# output alert_syslog: LOG_AUTH LOG_ALERT

# pcap
# output log_tcpdump: tcpdump.log

# metadata reference data.  do not modify these lines
include classification.config
include reference.config
#################################################################################

it generate following logfiles:
-> merged.log2 (unified2 format)

If I enable:
output unified2: filename merged.log2, limit 128
output alert_unified2: filename snort.alert2, limit 128
output log_unified2: filename snort.log2, limit 128
it generate following logfiles:
-> snort.alert2 (unified2 format)
-> snort.log2 (unified2 format)

If I enable:
output alert_unified2: filename snort.alert2, limit 128
output log_unified2: filename snort.log2, limit 128
it generate following logfiles:
-> alert (pcap format)
-> snort.log2 (unified2 format)

It seems, that the first entry will be ignored?!

Regards
Achim



-----Ursprüngliche Nachricht-----
Von: Russ [mailto:rucombs () cisco com] 
Gesendet: Freitag, 21. April 2017 15:09
An: Berndt, Achim <aberndt () studio-hamburg de>; snort-users () lists sourceforge net
Betreff: Re: [Snort-users] can't log to merged.log file in unified2 format in Version 2.9.9.0

What is in your conf on the preceding line?

On 4/21/17 6:26 AM, Berndt, Achim wrote:
> Hello,
>
> it works, if we put in the directive two times.
>
> output unified2: filename merged.u2, limit 128 output unified2: 
> filename merged.u2, limit 128
>
> it seems, that the first line will be ignored.
>
> Regards
> Achim
>
>
> ----------------------------------------------------------------------
> -------- Check out the vibrant tech community on one of the world's 
> most engaging tech sites, Slashdot.org! http://sdm.link/slashdot 
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!