Snort mailing list archives
snort not logging
From: Pardeep Dhiman <pardeep_dhiman () hotmail com>
Date: Thu, 23 Aug 2012 16:43:21 +1000
Hi Guys I have followed this below guide to install Snort on Ubuntu 12.04. Snort is not logging anything into snort.u2.xxxxxx or database. There is no error in syslog. I can see it is running but not logs. If I run like this /usr/local/snort/bin/snort -A console -i eth1 I can see a lot traffic on this interface Guide URL: http://www.snort.org/assets/158/snortinstallguide293.pdf #ls -l /var/log/snort/ total 4 -rw-r--r-- 1 snort snort 2056 Aug 23 16:36 barnyard2.waldo -rw------- 1 snort snort 0 Aug 23 15:05 snort.u2.1345698347 -rw------- 1 snort snort 0 Aug 23 15:14 snort.u2.1345698890 -rw------- 1 snort snort 0 Aug 23 15:15 snort.u2.1345698954 -rw------- 1 root root 0 Aug 23 15:18 snort.u2.1345699083 -rw------- 1 snort snort 0 Aug 23 15:25 snort.u2.1345699538 -rw------- 1 snort snort 0 Aug 23 15:55 snort.u2.1345701330 -rw------- 1 snort snort 0 Aug 23 16:32 snort.u2.1345703561 -rw------- 1 snort snort 0 Aug 23 16:36 snort.u2.1345703783 # ps aux | grep snort snort 11021 14.5 1.3 352020 115260 ? Rsl 15:55 5:08 /usr/local/snort/bin/snort -D -u snort -g snort -c /usr/local/snort/etc/snort.conf -i eth1 root 11024 0.0 0.0 21580 7064 ? Ss 15:55 0:00 /usr/local/bin/barnyard2 -c /usr/local/snort/etc/barnyard2.conf -G /usr/local/snort/etc/gen-msg.map -S /usr/local/snort/etc/sid-msg.map -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D tail /var/log/syslog Aug 23 16:32:41 vcids01 snort[13079]: [ Number of patterns truncated to 20 bytes: 422 ] Aug 23 16:32:41 vcids01 snort[13079]: pcap DAQ configured to passive. Aug 23 16:32:41 vcids01 snort[13079]: Acquiring network traffic from "eth1". Aug 23 16:32:41 vcids01 snort[13079]: Initializing daemon mode Aug 23 16:32:41 vcids01 snort[13080]: Daemon initialized, signaled parent pid: 13079 Aug 23 16:32:41 vcids01 snort[13080]: Reload thread starting... Aug 23 16:32:41 vcids01 snort[13080]: Reload thread started, thread 0xa611fb40 (13080) Aug 23 16:32:41 vcids01 kernel: [ 4045.644037] device eth1 entered promiscuous mode Aug 23 16:32:41 vcids01 snort[13080]: Decoding Ethernet Aug 23 16:32:41 vcids01 snort[13080]: Checking PID path... Aug 23 16:32:41 vcids01 snort[13080]: PID path stat checked out ok, PID path set to /var/run/ Aug 23 16:32:41 vcids01 snort[13080]: Writing PID "13080" to file "/var/run//snort_eth1.pid" Aug 23 16:32:41 vcids01 snort[13080]: Set gid to 1001 Aug 23 16:32:41 vcids01 snort[13080]: Set uid to 1001 Aug 23 16:32:41 vcids01 snort[13080]: Aug 23 16:32:41 vcids01 snort[13080]: --== Initialization Complete ==-- Aug 23 16:32:41 vcids01 snort[13080]: Commencing packet processing (pid=13080) Aug 23 16:32:42 vcids01 barnyard2[13082]: Running in Continuous mode Aug 23 16:32:42 vcids01 barnyard2[13082]: Aug 23 16:32:42 vcids01 barnyard2[13082]: --== Initializing Barnyard2 ==-- Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Input Plugins! Aug 23 16:32:42 vcids01 barnyard2[13082]: Initializing Output Plugins! Aug 23 16:32:42 vcids01 barnyard2[13082]: Parsing config file "/usr/local/snort/etc/barnyard2.conf" Aug 23 16:32:43 vcids01 barnyard2[13082]: Log directory = /var/log/barnyard2 Aug 23 16:32:43 vcids01 barnyard2[13082]: Initializing daemon mode Aug 23 16:32:43 vcids01 barnyard2[13082]: Daemon parent exiting Aug 23 16:32:43 vcids01 barnyard2[13083]: Daemon initialized, signaled parent pid: 13082 Aug 23 16:32:43 vcids01 barnyard2[13083]: PID path stat checked out ok, PID path set to /var/run/ Aug 23 16:32:43 vcids01 barnyard2[13083]: Writing PID "13083" to file "/var/run//barnyard2_eth1.pid" Aug 23 16:32:43 vcids01 barnyard2[13083]: Last event seen for sid 1 was 0 Aug 23 16:32:43 vcids01 barnyard2[13083]: database: compiled support for (mysql) Aug 23 16:32:43 vcids01 barnyard2[13083]: database: configured to use mysql Aug 23 16:32:43 vcids01 barnyard2[13083]: database: schema version = 107 Aug 23 16:32:43 vcids01 barnyard2[13083]: database: host = localhost Aug 23 16:32:43 vcids01 barnyard2[13083]: database: user = snort Aug 23 16:32:43 vcids01 barnyard2[13083]: database: database name = snort Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor name = localhost:eth1 Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor id = 1 Aug 23 16:32:43 vcids01 barnyard2[13083]: database: sensor cid = 1 Aug 23 16:32:43 vcids01 barnyard2[13083]: database: data encoding = hex Aug 23 16:32:43 vcids01 barnyard2[13083]: database: detail level = full Aug 23 16:32:43 vcids01 barnyard2[13083]: database: ignore_bpf = no Aug 23 16:32:43 vcids01 barnyard2[13083]: database: using the "log" facility Aug 23 16:32:43 vcids01 barnyard2[13083]: Aug 23 16:32:43 vcids01 barnyard2[13083]: --== Initialization Complete ==-- Aug 23 16:32:43 vcids01 barnyard2[13083]: Barnyard2 initialization completed successfully (pid=13083) Aug 23 16:32:43 vcids01 barnyard2[13083]: Using waldo file '/var/log/snort/barnyard2.waldo':#012 spool directory = /var/log/snort#012 spool filebase = snort.u2#012 time_stamp = 1345701330#012 record_idx = 0 Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file '/var/log/snort/snort.u2.1345701330' Aug 23 16:32:43 vcids01 barnyard2[13083]: Closing spool file '/var/log/snort/snort.u2.1345701330'. Read 0 records Aug 23 16:32:43 vcids01 barnyard2[13083]: Opened spool file '/var/log/snort/snort.u2.1345703561' Aug 23 16:32:43 vcids01 barnyard2[13083]: Waiting for new data
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not logging Pardeep Dhiman (Aug 24)
- Re: snort not logging Tony Robinson (Aug 24)