Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Barnyard2 thinks snort spool logs are empty

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pkb
      last edited by

      I have snort set up on an Amazon EC2 linux server with a single rule that logs all TCP packets coming in. I installed barnyard with mysql to record these logs to a database. Snort runs fine, when I log in plaintext with -K ascii I can see all of the TCP packets in the log files. I can also see all of the snort.log.timestamp files in /var/log/snort when I log in the unified2 format.

      My problem is that when I run barnyard2, it doesn't find any information in the these logs. I get feedback such as "Closed spool file '/var/log/snort/snort.log.timestamp'. Read 0 records". I checked the logs and they do have data in them. It seems that there is some sort of configuration I missed that is preventing barnyard from reading the spools.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.