Re: Snort output plugins using Barnyard.

[fatema bannatwala <fatema.bannatwala () gmail com>]

 I apologize for the miss-communication regarding the problem.

Yeah, snort is not sysloging to local facility, it's just outputing the
logs in u2 format. i.e I only have this in snort.conf for output plugins:
output unified2: filename merged.log, limit 128

And, barnyard2 is taking that snort u2 output as input and outputing it to
local1 as syslog and transferring it to a database on a remote server.
The barnyard2.conf looks like:
# Step 2: setup the input plugins
#
# this is not hard, only unified2 is supported ;)
input unified2

# Step 3: setup the output plugins
output alert_fast: stdout
output alert_syslog: LOG_INFO LOG_LOCAL1
output database: log, postgresql, user=user password=some_pass dbname=db1
host=xx.yy.zz

Hence, wanted to ask that is it possible for barnyard to still process
syslog, even if it fails to connect to database in the last plugin defined
in the barnyard2.conf.

Are there any alternate solutions ? One thing I was thinking was to have
syslog output plugin enabled in snort.conf rather than barnyard2, so in the
situations like
database is down, syslogs on the remote host should still be available to
query, and hence avoid the single point of failure for the snort alerts
logs.

Thanks,
Fatema.

On Tue, Sep 20, 2016 at 4:39 PM, Y M <snort () outlook com> wrote:

> If I understand correctly, you are using Barnayrd2 to parse u2 files
> generated by Snort into Syslog and db, correct?
>
> If that's the case, then Snort does not need to be sending Syslog alert
> logs to the local facility. It is already outputing the logs in u2 format.
> In other words, it is simply writing u2 to disk irrelevant to the Barnyard2
> process. Hence Snort should not stop running when Barnyard2 fails.
>
> I guess what you mean is that Barnyard2 stops sending Syslog when the
> database connection fails. AFAIK, Barnyard2 has to be restarted to pick up
> again.
>
> YM
>
> _____________________________
> From: fatema bannatwala <fatema.bannatwala () gmail com>
> Sent: Tuesday, September 20, 2016 9:58 PM
> Subject: [Snort-users] Snort output plugins using Barnyard.
> To: <snort-users () lists sourceforge net>
>
>
>
> Hi,
>
> We have snort 2.9.7 up and running, with unified2 format output setup in
> snort.conf.
> We also have barnyard2 configured to log the snort unified2 output in
> different formats.
> We have two output plugins enabled in barnyard, one is to syslog to local1
> facility  (output alert_syslog: LOG_INFO LOG_LOCAL1) and another one to log
> the alerts into a postgres DB (output database: log, postgresql,
> user=db_user password=some_password dbname=snorby host=host123.somedomain).
>
> Recently we ran into an issue where snort stopped sending the syslog
> messages to local facility, when the other barnyard plugin ,i.e, database
> connection failed.
> Hence my question is, does snort stop processing other output plugins as
> well, if any one of them fails in barnyard?
> or is there any way to make sure the other output plugins still get
> processed if one of them fails?
>
> Also, the order of the output plugins definition in barnyard2.conf is,
> first the syslog output is defined and at the end of the file database
> output plugin is defined.
> Hence I was thinking that snort should have processed the syslog plugin
> and have sent the syslogs to local1, before processing the database plugin
> and finding out that it is not able to connect to the database.
>
> Any suggestion/comment appreciated.
>
> Thanks,
> Fatema.
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!