Snort mailing list archives

Problem with unified2 files

From: joseph m via Snort-users <snort-users () lists snort org>
Date: Tue, 8 May 2018 11:57:46 +0900

Hello All;
                 I am running into the following problem. Now I do realize
that this is a problem that has been seen before. I am still looking
through the archives trying to find a solution. I have seen one reference
to the problem but no solution was posted !!

The following is what I have

 : RHEL7 , barnyard2-2-1.13, and Snort 2.9.11.1 GRE (Build 268). I have
built the exact setup on another RHEL7 server with all the same versions of
above listed software and did not have this problem.

Here is my current problem when starting barnyard2 I will see the following
warnings being reported in the journal:

[ Can't extract timestamp extension from 'unified2.15247xxxxx' using base
'unified'  ] This warning cycles continually through listing the same
unified2 logs. I know that the snort.conf setting of 'nostamp' will usually
specify no time stamp but here is my snort.conf setting:

[ output unified2: filename /var/log/snort/unified2, limit 10 ]

I have deleted the older unified2 files prior to bringing up barnyard2
since they were a week or so old. I am also not seeing the waldo file being
created I have tried doing a touch /var/log/snort/barnyard2_waldo gave it
correct permissions ..I see a warning in the journal stating the waldo file
is truncated or corrupt...

I have noticed that the unified2 files are zero length so I am wondering if
this is why the waldo file is not being created. I've looked at the
interface an there is plenty of traffic going across it ...
I apologize if I am stating a known issue ...I'd appreciate anything anyone
can  tell me to steer me in the right direction..

                                            Thank You and Best
Regards............Joseph M

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Problem with unified2 files joseph m via Snort-users (May 08)
- Re: Problem with unified2 files wkitty42 (May 14)
  - Re: Problem with unified2 files joseph m via Snort-users (May 15)
    - Message not available
    - Re: Problem with unified2 files joseph m via Snort-users (May 18)