Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Barnyard not outputting data to mysql db

From: Pratibha Rajan <pratibha.nair12 () outlook com>
Date: Tue, 23 Aug 2016 05:16:05 +0530
Hi All,
I am running barnyard in continuous mode but the events table in mysql db is not getting populated. Snort runs in 
daemon mode. Below is the script I am running for continuous mode:
/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w 
/var/log/barnyard2/barnyard2.waldo
Below are the O/P plugins set in 
snort.conf:********************************************************************************
# Step #6: Configure output plugins# For more information, see Snort Manual, Configuring Snort - Output 
Modules###################################################
# unified2# Recommended for most installsoutput unified2: filename merged.log, limit 128,nostamp, mpls_event_types, 
vlan_event_types
# Additional configuration for specific types of installs output alert_unified2: filename snort.alert, limit 128, 
nostamp output log_unified2: filename snort.log, limit 128, nostamp
# syslog# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_csv: /var/log/snort/csv.out
# pcap# output log_tcpdump: tcpdump.logoutput log_tcpdump: /var/log/snort/tcpdump.log
# metadata reference data.  do not modify these linesinclude classification.configinclude reference.config
**************************************************
necessary plugins for barnyard.conf
**********************************************************

# Step 2: setup the input plugins#
# this is not hard, only unified2 is supported ;)input unified2
#output lineoutput alert_full

# database: log to a variety of databases# 
----------------------------------------------------------------------------## Purpose: This output module provides 
logging ability to a variety of databases# See doc/README.database for additional information.## Examples:   output 
database: log, mysql, user=#### password=######## dbname=##### host=localhost


Aug 22 15:28:15 tparheidsp001 barnyard2: Closing spool file '/var/log/snort/snort.log.1471754794'. Read 0 recordsAug 22 
15:28:15 tparheidsp001 barnyard2: Opened spool file '/var/log/snort/snort.log.1471894095'Aug 22 15:49:48 tparheidsp001 
barnyard2: Log directory = /var/log/snort


I have set a test alert to read ping requests to the sensor. I see the logs growing consistently:
-rwxr-xr-x. 1 snort snort 4432431 Aug 22 19:23 alert-rw-r--r--. 1 root  root        0 Aug 21 01:23 
barnyard2.alert-rw-------. 1 snort snort       5 Aug 22 15:28 snort_ens192.pid-rw-------. 1 snort snort       0 Aug 22 
15:28 snort_ens192.pid.lck-rw-------. 1 snort snort       0 Aug  3 14:46 snort.log.1470249961-rw-------. 1 snort snort  
    24 Aug  3 15:48 snort.log.1470252537-rw-------. 1 snort snort       0 Aug  3 16:25 snort.log.1470255941-rw-------. 
1 snort snort 2904270 Aug 19 21:08 snort.log.1471461503-rw-------. 1 snort snort  101776 Aug 21 00:43 
snort.log.1471655771-rw-------. 1 snort snort  156288 Aug 22 15:26 snort.log.1471754794-rw-------. 1 snort snort  
109090 Aug 22 19:23 snort.log.1471894095

But barnyard seems unable to process it.
Are the logs not in Unified2 format? what needs to be changed??
Thanks 
Pratibha





                                          
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: