That did it.  Thank you very much.  I was starting to get a head ache trying to figure out why I could see alerts everywhere else but not in SGUIL.


On Thu, Dec 12, 2013 at 11:42 AM, William Allison <wallison.14@gmail.com> wrote:
> ####################################################
>
> I've manually ran the SNORT test function and it tested successfully
> with my snort.conf file.  Yes, I do have the "output unified2: filename
> snort.log, limit 128 within my snort.conf.
>
> I've even enabled the output module for syslog and log_tcpdump.  Which
> In my syslog I do see the alerts being generated but do not see them in
> the tcpdump.log that is created.
>
> Here is what I used to demonize snort.
>
> SNORT_LOG=/var/log/snort-$HOSTNAME
>
> snort  -u sguil -g sguil -m 122 -l $SNORTLOG -c /etc/snort/snort.conf -i
> $IFACE -A full -U --pid-path $PIDDIR  -D
>

I believe you need to remove "-A full" option.


------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users