Sagan not creating unified output

101 views
Skip to first unread message

DigiAngel

unread,
Dec 19, 2011, 1:21:01 PM12/19/11
to sagan-users
Topic says it...added the line:

output unified2: filename sagan.u2, limit 128

To sagan.conf and no files are created.

var SAGANLOGPATH /var/log/sagan

is set with sagan:sagan as the user. Anything I can do to debug
this? Thanks.

James

Champ Clark III [Quadrant]

unread,
Dec 19, 2011, 1:31:08 PM12/19/11
to sagan...@googlegroups.com
Make sure there are no spaces leading out to the "output"...

For example..

" output unified2: filename sagan.u2, limit 128"

verses

"output unified2: filename sagan.u2, limit 128"

DigiAngel

unread,
Dec 20, 2011, 9:53:35 AM12/20/11
to sagan-users
Yep...no leading spaces. Is there anything else I can check? Do I
need to recompile sagan or anything like that? Is there a debug
option I can set? Thank you.

James

On Dec 19, 11:31 am, "Champ Clark III [Quadrant]"


<ccl...@quadrantsec.com> wrote:
> Make sure there are no spaces leading out to the "output"...
>
> For example..
>
> " output unified2: filename sagan.u2, limit 128"
>
> verses
>
> "output unified2: filename sagan.u2, limit 128"
>
> On Dec 19, 2011, at 1:21 PM, DigiAngel wrote:
>
> > Topic says it...added the line:
>
> > output unified2: filename sagan.u2, limit 128
>
> > To sagan.conf and no files are created.
>
> > var SAGANLOGPATH /var/log/sagan
>
> > is set with sagan:sagan as the user.  Anything I can do to debug
> > this?  Thanks.
>
> > James
>

Champ Clark III [Quadrant]

unread,
Dec 20, 2011, 10:12:37 AM12/20/11
to sagan...@googlegroups.com
Sure.. 
 
Again, make sure the unified2 output line is like thus (which i think you did,  but just to clarify):

output unified2: filename sagan.u2, limit 128

Also,  make sure Sagan is built with libdnet support.  This allows Sagan to "recreate packets" for unified2 output.  Normally,  I'd
say run "sagan -h" will show library support.   However,  I just noticed it doesn't include libdnet support or not (something I need
to fix for future debugging issues). 

If you run "ldd sagan" you should see a "libdnet.so.1" reference.  If you do not,  then that's likely the problem.  Let me know how
it works out.  


Champ Clark III [Quadrant]

unread,
Dec 20, 2011, 10:18:02 AM12/20/11
to sagan...@googlegroups.com
I just pushed up to the git tree for Sagan to tell you if libdnet support (for unified2) is included).  
When you run "sagan -h,  you _should_ see 

* libdnet (for unified2) support is included. 

Let me know how it works out.
<quadrant.png>

DigiAngel

unread,
Dec 20, 2011, 10:54:04 AM12/20/11
to sagan-users
Yea that was just the ticket. May want to include a check that checks
for unified2 in the config, but no libdnet support in the app when you
run it :) Working like a "champ" now :) Get it? Ok....not a good
joke but it's all I got on a Tuesday morning ;) Thanks Champ.

James

On Dec 20, 8:18 am, "Champ Clark III [Quadrant]"

Champ Clark III [Quadrant]

unread,
Dec 20, 2011, 11:09:24 AM12/20/11
to sagan...@googlegroups.com
Oh yeah,  I've _never_ heard that on before! :)

./configure does check for libdnet,  but if you don't have it,  it'll "assume" you don't want that support.   However,  I see what your saying.  If you have "unfiied2" enabled in the config,  but Sagan hasn't been built for it,  give a warning/error.  I'll add that in ASAP,  because I think your right. 

I added in the "sagan -h" to help assist in the future if this comes up.

Da Beave

unread,
Jan 6, 2012, 12:32:19 PM1/6/12
to sagan-users
FYI. I've added this into the git code (error checking/warning) if
output format doesn't have the necessary dependencies.

On Dec 20 2011, 11:09 am, "Champ Clark III [Quadrant]"
Reply all
Reply to author
Forward
0 new messages