I am launching two instances of snort with the following commands:
/usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D
/usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D
I have this in my ossec.conf file with ossec running in agent mode on
my snort sensor:
<localfile>
<log_format>snort-full</log_format>
<location>/var/log/snort/alert</location>
</localfile>
This is what I get in my ossec.log:
2007/08/31 11:23:51 ossec-logcollector: Started (pid: 5249).
2007/08/31 11:30:13 ossec-logcollector: Bad formated snort full file.
2007/08/31 11:44:51 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:06:55 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:15:53 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:17:31 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:17:57 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:18:39 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:19:29 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:21:09 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:21:35 ossec-logcollector: Bad formated snort full file.
2007/08/31 12:22:21 ossec-logcollector(1904): File not available,
ignoring it: '/var/log/snort/alert'.
After which I stop getting any alerts from ossec on the snort events.
Does anyone have any ideas as to why this may be happening (if there
was a previous discussion about this issue please let me know...and
point me at it).
I'm using ossec 1.3 with snort 2.7.0.1.
--
Zac Roetemeyer
[EMAIL PROTECTED]
