[Snort-users] barnyard: alert_syslog2 not working

permalink · #1 (**permalink**) 10-08-2004

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C4ACC1.614FC0BE
Content-Type: text/plain;
charset="iso-8859-1"

Here is my barnyard.conf file

config hostname: x.x.x.x
config interface: x
output alert_syslog2: severity: NOTICE; facility: LOCAL1;
#output alert_syslog: LOG_LOCAL2 LOG_ALERT LOG_NDELAY

Here are the lines I added to the syslog.conf file:

local1.*
/var/log/barnyard.log
local2.*
/var/log/barnyard2.log

I SIGHUP'd both syslogd and barnyard. I even tried rebooting once, but

Running the command:

barnyard -o snort.eth1.alert.1097060734 -c /etc/snort/barnyard.conf

Produces no output in /var/log/barnyard.log

I have Snort configured to output in unified format. I know that this is
working because I can get Barnyard to log to a database, and also the
alert_syslog plugin works fine (using the commented directive above).

Any ideas why the old syslog plugin works, but the new one doesn't? What am
I forgetting?

------_=_NextPart_001_01C4ACC1.614FC0BE
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">

<META content=3D"MSHTML 6.00.2800.1458" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial size=3D2><SPAN class=3D857555222-07102004>Here =
is my=20
barnyard.conf file</SPAN></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>config hostname: <SPAN=20
class=3D857555222-07102004>x.x.x.x</SPAN></FONT></DIV>
<DIV><FONT><SPAN class=3D857555222-07102004></SPAN><FONT face=3DArial =
size=3D2>config=20
interface: <SPAN class=3D857555222-07102004>x</SPAN><BR>output =
alert_syslog2:=20
severity: NOTICE; facility: LOCAL1;</FONT></FONT></DIV>
<DIV><FONT><FONT face=3DArial size=3D2>#output alert_syslog: LOG_LOCAL2 =
LOG_ALERT=20
LOG_NDELAY<BR></DIV></FONT></FONT>
<DIV><FONT><FONT><SPAN class=3D857555222-07102004><FONT face=3DArial =
size=3D2>Here are=20
the lines I added to the syslog.conf =
file:</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT><FONT><SPAN class=3D857555222-07102004><FONT face=3DArial=20
size=3D2></FONT></SPAN></FONT></FONT> </DIV>
<DIV><FONT><FONT><SPAN class=3D857555222-07102004><FONT face=3DArial=20
size=3D2>local1.*     &nb sp;   &=
nbsp;       &nb sp;   &=
nbsp;       &nb sp;   &=
nbsp;       &nb sp;   &=
nbsp;  =20
/var/log/barnyard.log<BR>local2.*    &n bsp; &nb=
sp;       &nbsp ;   &nb=
sp;       &nbsp ;   &nb=
sp;       &nbsp ;   &nb=
sp;    =20
/var/log/barnyard2.log</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT><FONT><SPAN class=3D857555222-07102004><FONT face=3DArial=20
size=3D2></FONT></SPAN></FONT></FONT> </DIV><FONT><FONT><SPAN=20
class=3D857555222-07102004><FONT size=3D2>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN=20
class=3D857555222-07102004></SPAN></FONT></FONT><FONT size=3D+0><FONT =
size=3D+0><SPAN=20
class=3D857555222-07102004><FONT face=3DArial size=3D2>I SIGHUP'd both =
syslogd and=20
barnyard. I even tried rebooting once, =
but</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D+0><FONT face=3DArial size=3D2><SPAN=20
class=3D857555222-07102004></SPAN></FONT></FONT> </DIV>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN =
class=3D857555222-07102004><FONT face=3DArial=20
size=3D2>Running the command:</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN =
class=3D857555222-07102004><FONT face=3DArial=20
size=3D2></FONT></SPAN></FONT></FONT> </DIV>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN =
class=3D857555222-07102004><FONT face=3DArial=20
size=3D2>barnyard -o snort.eth1.alert.1097060734 -c=20
/etc/snort/barnyard.conf</FONT></SPAN></FONT></FONT></DIV>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN =
class=3D857555222-07102004><FONT face=3DArial=20
size=3D2></FONT></SPAN></FONT></FONT> </DIV>
<DIV><FONT size=3D+0><FONT size=3D+0><SPAN =
class=3D857555222-07102004><FONT=20
size=3D2><FONT face=3DArial>Produces no output in =
/var/log/barnyard.log</FONT></DIV>
<DIV><FONT face=3DArial></FONT></FONT></SPAN></FONT></FONT> </DIV>
<DIV><FONT face=3DArial>I have Snort configured to output in unified =
format. I=20
know that this is working because I can get Barnyard to log to a =
database, and=20
also the alert_syslog plugin works fine (using the commented directive=20
above<SPAN class=3D857555222-07102004>)</SPAN>.</FONT></DIV>
<DIV><FONT face=3DArial></FONT> </DIV>
<DIV><SPAN class=3D857555222-07102004><FONT face=3DArial>Any ideas why =
the old=20
syslog plugin works, but the new one doesn't? What am I=20
forgetting?</FONT></SPAN></DIV>
<DIV></FONT></SPAN></FONT></FONT> </DIV>
<DIV><FONT><FONT face=3DArial size=3D2><SPAN=20
class=3D857555222-07102004></SPAN></FONT></FONT> </DIV><FONT><FONT>=
<SPAN=20
class=3D857555222-07102004><FONT face=3DArial size=3D2>
<DIV><BR></DIV></FONT></SPAN></FONT></FONT>
<DIV><FONT><FONT><SPAN class=3D857555222-07102004><FONT face=3DArial=20
size=3D2> </DIV></FONT></SPAN></FONT></FONT></BODY></HTML>

------_=_NextPart_001_01C4ACC1.614FC0BE--

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjourna...uidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode