Barnyard2 exits if it can't connect to remote syslog
-
Hi,
Currently running pfsense 2.1.4-RELEASE (amd64) and Snort 2.9.7.0 pkg v3.2.2I've set up my snort logs, via barnyard2 to go to a remote syslog. I have tested (sample size of 1, but after barnyard shut itself off a couple of times) that if barnyard2 can not reach the remote syslog server, it shuts itself down (which is fine, I guess). When I tested it, barnyard2 shuts itself off after 5 mins (or so) and displays the error:
Aug 5 23:17:10 ip-172-16-1-1 barnyard2[64718]: Barnyard2 exiting
Aug 5 23:17:10 ip-171-16-1-1 barnyard2[64718]: FATAL ERROR: NetSend(): call failed for host:port '172.16.1.2:514' bailing…So my questions are:
Can one confirm this is normal behaviour?
Is there a way I can set this up so that barnyard2 auto restarts after exiting (can hack a cron script if I have to) or get Barnyard2 to continue to try and send log entries to the remote host without exiting?Thanks for your time,
MuppetPuppet -
Unfortunately not much can be done here. This in an internal function/feature of Barnyard2 itself. All the Snort package does is just launch the BY2 binary and feed it a configuration file. After that the BY2 binary does its own thing…
Best solution would be to see about making the remote syslog server more reliable (or reachable).
Bill
-
Thanks Bill, much appreciated.
I've switched it to UDP and added in further monitoring to ensure I get alerted when the logging stops for a period of time.