[Oisf-users] PFRing & Barnyard2

[Kevin Ross]

Hi,

I was wondering what is the prefered way of doing barnyard2 with suricata
in pfring? I ask because now I am running more processes now I have better
hardware so when I ran say 8 processes each one seems to create its on
unified2.alert file but I start only 1 barnyard process and I noticed
things in the fast.log file that was not being picked up by barnyard.

So do I have to start up multiple barnyard processes too for each unified2
alert file and then do something like have multiple suricata.yaml files
with each one pointed to say alert2.unified2, alert2.unified3 and then have
barnyard and suricata started like this?

# Start Multiple Suricata Processes With PFRING
for COUNTER in 0 1 2 3 4 5 6 7; do
suricata  --pidfile /var/run/suricata$COUNTER.pid --pfring-int=eth1
--pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c
/etc/suricata/suricata.yaml --user suri --group suri -D
/usr/local/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
/var/log/suricata -f unified2.alert$COUNTER -w
/var/log/suricata/bylog.waldo -D
done

Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130809/ebf8e21b/attachment.html>