Barnyard2 problems with unified2 timestamp

[jmdl...@gmail.com]

Hello All;
                 I am running into the following problem. I do realize
that this is a problem that has been seen before. I am still looking
through the archives - snort users/devel- trying to find a solution. I've seen
the issue listed but with no solution.
I have received a request for specifics from the user and developers groups
and attached the documents requested - which I've attached here but nothing 
since then. 

The following is what I have:

 : RHEL7 , barnyard2-2-1.13, and Snort 2.9.11.1 GRE (Build 268). I have
built the setup on another RHEL7 server with the same version of snort but an

earlier build - 2.9.11 GRE (build 125).

Here is my barnyard2 startup (from shell script):

/usr/local/bin/barnyard2 --pid-path /run --nolock-pidfile -D -c /etc/barnyard2/ \

barnyard2.conf -d /var/log/snort -w /var/log/snort/barnyard2.waldo -f unified \

-l /var/log/barnyard2

 Here is my current problem when starting barnyard2 I will see the following
warnings being reported in the journal:

[ Can't extract timestamp extension from 'unified2.15247xxxxx' using base
'unified'  ] This warning cycles continually listing the same
unified2 logs. I know that the snort.conf setting of 'nostamp' will usually
specify no time stamp but here is my snort.conf setting:

[ output unified2: filename /var/log/snort/unified2, limit 10 ] - also see 
attached snort.conf file

 I am not seeing the waldo file being created and I am seeing the following
message in /var/log/messages - WARNING: Unable to open waldo file 
'/var/log/snort/barnyard2.waldo' (no such file or directory).
 I have tried creating it with touch /var/log/snort/barnyard2_waldo ,
made sure permissions were correct, this generates the following message
(in the journal)waldo file is truncated or corrupt...
 I tested snort with the -T flag and have set the config with the -c switch 
and it completes successfully. I am looking at the unified2 files which are 
appended with the unix epoch time stamp ,and the time is correct. I've run a 
test using the -T switch with barnyard2 but it appears to just hang when it reads
the barnyard.conf file. . Hopefully someone in either of these groups can offer
 some insight that may help me resolve this problem. 
Thank You and Best Regards............Joseph M

[Noah Dietrich]

Hello Joseph,

It doesn't look like anyone has answered your question, and although I don't know the answer, I'd recommend a few things:

1. Are you running barnyard2 and snort with root credentials (try sudo if that's available on your system) to see if that helps

2. try a chmod -R 777 on the folder holding the u2 files and the waldo file to ensure permissions aren't the issue.

3. the 'nostamp' option in snort doesn't affect the u2 events inside the file, it refers to appending the UTC timestamp to the filename when the logs roll-over.

4. Try creating an empty waldo file before you start barnyard2. It needs that file to exist before it start, event if it's empty. It will generate that warning that the waldo file is truncated or corrupt, but that's ok, because it will then just start processing U2 files based on the oldest file (by UTC timestamp on the file), and keep track of where it is by writing to that waldo file.

--

---
You received this message because you are subscribed to the Google Groups "barnyard2-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to barnyard2-users+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[joseph m]

Hello Noah;

I did try all of that which you have listed above, to no avail. I decided to strip barnyard2 out and do a complete re-install and  this apparently worked ! I do appreciate your response and thanks for helping out.............................Joseph M