Not sure if this is possible since technically it would be a modification to barnyard. However, since we patch barnyard to work with sguil, it may be possible.
Currently in debug mode, there is no message or error to the user if he/she is trying to read invalid unified log/alert files using barnyard with the sguil output plugin. I think such errors would be helpful and here's why:
As part of my initial setup I got stuck on barnyard. It compiled nice, appeared to work fine but it would not read my unified logs and push them to the barnyard_agent.
It turns out that in my Snort config file I had set to use unified alerts, not unified logs. However, the output of barnyard showed it reading the files, told me the number of records but that was it. Nothing was handed off to the agent though. It would have helped if barnyard would have said "hey dork, your events won't be handed to sguil because they are not unified LOGS. Perhaps they are unified alerts or not unified anything"
Maybe this would help avoid a config issue for someone down the road as well as making sguil just a little easier to implement and this increase its usage.
Log in to post a comment.