I am launching two instances of snort with the following commands: /usr/local/bin/snort -i eth2 -A full -c /etc/snort/snort.conf -D /usr/local/bin/snort -i eth3 -A full -c /etc/snort/snort.conf -D
I have this in my ossec.conf file with ossec running in agent mode on my snort sensor: <localfile> <log_format>snort-full</log_format> <location>/var/log/snort/alert</location> </localfile> This is what I get in my ossec.log: 2007/08/31 11:23:51 ossec-logcollector: Started (pid: 5249). 2007/08/31 11:30:13 ossec-logcollector: Bad formated snort full file. 2007/08/31 11:44:51 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:06:55 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:15:53 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:17:31 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:17:57 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:18:39 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:19:29 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:21:09 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:21:35 ossec-logcollector: Bad formated snort full file. 2007/08/31 12:22:21 ossec-logcollector(1904): File not available, ignoring it: '/var/log/snort/alert'. After which I stop getting any alerts from ossec on the snort events. Does anyone have any ideas as to why this may be happening (if there was a previous discussion about this issue please let me know...and point me at it). I'm using ossec 1.3 with snort 2.7.0.1. -- Zac Roetemeyer [EMAIL PROTECTED]