Barnyard2 thinks snort spool logs are empty



  • I have snort set up on an Amazon EC2 linux server with a single rule that logs all TCP packets coming in. I installed barnyard with mysql to record these logs to a database. Snort runs fine, when I log in plaintext with -K ascii I can see all of the TCP packets in the log files. I can also see all of the snort.log.timestamp files in /var/log/snort when I log in the unified2 format.

    My problem is that when I run barnyard2, it doesn't find any information in the these logs. I get feedback such as "Closed spool file '/var/log/snort/snort.log.timestamp'. Read 0 records". I checked the logs and they do have data in them. It seems that there is some sort of configuration I missed that is preventing barnyard from reading the spools.


Locked