Re: Unified logging doesn't work.

["Steve Crow" <scrow () amarilloheartgroup com>]

I don’t question that your command works, my question has to do with having snort start at boot. The recommended 
install docs at sourceforge use /etc/init.d/snortd and /etc/sysconfig/snort files. But they are not designed for 
unified output as far as I can tell.

 

If I go with your command, where do I place it to have snort automatically start up at boot time?

 

Thanks again!

 

Steve

 

From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Monday, June 09, 2014 7:51 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Unified logging doesn't work.

 

On Mon, 2014-06-09 at 16:47 -0500, Steve Crow wrote: 

 
What script does that line go into?
I don't think I have seen it in the many googled documents that I have been
reviewing.
 
Steve
 
 
-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net] 
Sent: Monday, June 09, 2014 4:20 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Unified logging doesn't work.
 
On 2014-06-09 15:16, Steve Crow wrote:
> In the /etc/sysconfig/snort file there is this:
>
> #### General Configuration
>
> # What interface should snort listen on?  [Pick only 1 of the next 3!] 
> # This is -i {interface} on the command line # This is the snort.conf 
> config interface: {interface} directive # INTERFACE=eth0 # # The 
> following two options are not directly supported on the command line # 
> or in the conf file and assume the same Snort configuration for all # 
> instances # # To listen on all interfaces use this:
> #INTERFACE=ALL
> #
> # To listen only on given interfaces use this:
> INTERFACE="eth0 eth1"
>
> -----------------
>
> I included the full text in a reply to Joel. I am considering changing 
> this to ALL if Barnyard2 will work with a single unified file that 
> covers more than one interface. We're not a high bandwidth operation, 
> so I don't think I need to configure separate processes and 
> configuration files for each interface.
>
> Steve
 
Well...I don't recognize the sysconfig file but I can tell you that:
 
snort --daq afpacket --daq-mode passive -i eth0:eth1
 
Work like a champ and create only one unified file.
 
James
 


Currently my /etc/rc.local....but I did my own setup.  This is just straight command line.

James

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!