[Oisf-users] How to view unified2 logs ?
Victor Julien
victor at inliniac.net
Tue Oct 26 15:13:18 UTC 2010
For unified2 you will have to use Barnyard2:
http://www.securixlive.com/barnyard2/index.php
It works pretty much the same as the original barnyard except it works
with unified2 files :)
Cheers,
Victor
Morgan Cox wrote:
> Hi.
>
> Although I have got suricata to output to fast.log the archived logs are
> put into unified2 log format.
>
> I have tried to use http://code.google.com/p/snort-unified-perl/ - but
> this seemed to fail.
>
> I have tried installing barnyard on my local machine and copied the logs
> and confirm files from the server (I am most likely doing this wrong)
>
> barnyard -f unified2.alert -d /home/morgan/suricata/ -c
> /home/morgan/Downloads/barnyard-0.2.0/etc/barnyard.conf -p
> /home/morgan/csmith-suricata/suricata/classification.config -s
> /home/morgan/csmith-suricata/suricata/rules/emerging-sid-msg.map -vvvvv
> -g /home/morgan/csmith-suricata/suricata/gen-msg.map -L /home/morgan/
>
> Gives:-
> ---------------------------
> Barnyard Version 0.2.0 (Build
> 32)
>
> Command line
> arguments:
>
> Config file:
> /home/morgan/Downloads/barnyard-0.2.0/etc/barnyard.conf
>
> Spool dir:
> /home/morgan/suricata/
>
> Gen-msg file:
> /home/morgan/csmith-suricata/suricata/gen-msg.map
>
> Sid-msg file:
> /home/morgan/csmith-suricata/suricata/rules/emerging-sid-msg.map
>
> Class file:
> /home/morgan/csmith-suricata/suricata/classification.config
>
> Log dir:
> /home/morgan/
>
> Archive dir: Not
> specified
>
> File base:
> unified2.alert
>
> Waldo file: Not
> specified
>
> Pid file: Not
> specified
>
> Verbosity level:
> 5
>
> Dry run flag: Not
> Set
>
> Batch mode flag: Not
> Set
>
> Daemon flag: Not
> Set
>
> New records only flag: Not
> Set
>
> Usage flag: Not
> Set
>
> Version flag: Not
> Set
>
> Config file
> variables:
>
> Hostname:
> snorthost
>
> Interface:
> fxp0
>
> BPF Filter: not port
> 22
>
> Class file: Not
> specified
>
> Sid-msg file: Not
> specified
>
> Gen-msg file: Not
> specified
>
> Daemon flag: Not
> Set
>
> Localtime flag: Not
> Set
>
> Program
> Variables:
>
> Continual processing
> mode
>
> Config dir:
> /home/morgan/Downloads/barnyard-0.2.0/etc
>
> Config file:
> /home/morgan/Downloads/barnyard-0.2.0/etc/barnyard.conf
>
> Sid-msg file:
> /home/morgan/csmith-suricata/suricata/rules/emerging-sid-msg.map
>
> Gen-msg file:
> /home/morgan/csmith-suricata/suricata/gen-msg.map
>
> Class file:
> /home/morgan/csmith-suricata/suricata/classification.config
>
> Hostname:
> snorthost
>
> Interface:
> fxp0
>
> BPF Filter: not port
> 22
>
> Log dir:
> /home/morgan/
>
> Verbosity:
> 5
>
> Localtime:
> 0
>
> Spool dir:
> /home/morgan/suricata/
>
> Spool file:
> unified2.alert
>
> Start at end:
> 0
>
> Opened spool file
> '/home/morgan/suricata//unified2.alert.1282825983'
>
> Error reading magic from
> '/home/morgan/suricata//unified2.alert.1282825983'
>
> Closing spool file '/home/morgan/suricata//unified2.alert.1282825983'.
> Read 0
> records
>
> Opened spool file
> '/home/morgan/suricata//unified2.alert.1282826838'
>
> Error reading magic from
> '/home/morgan/suricata//unified2.alert.1282826838'
>
> Closing spool file '/home/morgan/suricata//unified2.alert.1282826838'.
> Read 0
> records
>
> Opened spool file
> '/home/morgan/suricata//unified2.alert.1282827192'
> ---------------------------
>
> Is it actually possible for me to view the logs ?
>
> Can anyone give me an example how to ?
>
> Cheers
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list