barnyard2
barnyard2 copied to clipboard
firnsy
OpSyslog_Log(): Is currently unable to handle Event Type [72]
I've encountered the following log output several times now in my snort/barnyard2 installation:
Apr 21 10:37:05 termina snort[26499]: OpSyslog_Log(): Is currently unable to handle Event Type [72]
Apr 21 10:37:05 termina snort[26499]: FATAL ERROR: [Syslog_FormatIPHeaderLog()], strlcpy() error , bailing
Apr 21 10:37:05 termina snort[26499]: Barnyard2 exiting
Deleting the merged.log.* file (as suggested somewhere) helps temporarily, but it happens again after a while and then barnyard2 won't start until the file is deleted again. I've seen the unable to handle Event Type [72] in one or two threads across the Internet in the context of barnyard2 not having ipv6 support, but from what I've gathered, this is no longer the case.
What does this error message mean? What can I do to fix it?
The system in question is FreeBSD 10.1-RELEASE-p9 and the barnyard2 version string is Version 2.1.13 (Build 327) IPv6.
//----------LEGACY, type '72' typedef struct Unified2IDSEventIPv6_legacy Events will be parsed but not outputed. Will have to check where it bails on v6 since before it wouldn't get sent to the output plugin.
On Tue, Apr 21, 2015 at 6:01 AM, Denis [email protected] wrote:
I've encountered the following log output several times now in my snort/barnyard2 installation:
Apr 21 10:37:05 termina snort[26499]: OpSyslog_Log(): Is currently unable to handle Event Type [72] Apr 21 10:37:05 termina snort[26499]: FATAL ERROR: [Syslog_FormatIPHeaderLog()], strlcpy() error , bailing Apr 21 10:37:05 termina snort[26499]: Barnyard2 exiting
Deleting the merged.log.* file (as suggested somewhere) helps temporarily, but it happens again after a while and then barnyard2 won't start until the file is deleted again. I've seen the "unable to handle Event Type [72]" in one or two threads across the Internet in the context of barnyard2 not having ipv6 support, but from what I've gathered, this is no longer the case.
What does this error message mean? What can I do to fix it?
The system in question is FreeBSD 10.1-RELEASE-p9 and the barnyard2 version string is Version 2.1.13 (Build 327) IPv6.
— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/144.
@binf Could you explain what you mean in more detail? What does event type 72 represent exactly? Does this mean barnyard2 still doesn't support IPv6?
Events are read but not outputed. This is what it mean.
On Tue, May 26, 2015 at 2:14 PM, Denis [email protected] wrote:
@binf https://github.com/binf Could you explain what you mean in more detail? What does event type 72 represent exactly? Does this mean barnyard2 still doesn't support IPv6?
— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/144#issuecomment-105622755.
What do you want to avoid? the message? What is your unified2 output like look like in snort.conf?
On Thu, Jun 18, 2015 at 5:52 PM, Denis [email protected] wrote:
Is there any way this problem can be avoided?
— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/144#issuecomment-113299429.
@binf, no, I want to avoid barnyard2 exiting while printing that message and having to delete the merged.log.* file before it can be restarted again.
Or am I misinterpreting that this is related to the Event Type [72] message? I concluded it was related because it always happened at the same time as the FATAL ERROR.
The unified2 output line looks like this:
output unified2: filename merged.log, limit 128
Ok Denis i will loook into it soon, thanks
On Fri, Jun 19, 2015 at 3:04 AM, Denis [email protected] wrote:
@binf https://github.com/binf, no, I want to avoid barnyard2 exiting while printing that message and having to delete the merged.log.* file before it can be restarted again.
The unified2 output line looks like this:
output unified2: filename merged.log, limit 128
— Reply to this email directly or view it on GitHub https://github.com/firnsy/barnyard2/issues/144#issuecomment-113400603.