Probably the most popular unified output (or spool) readers is Barnyard. Barnyard hasn't been updated in several years, but it continues to work. The following built-in help reveals some of its capabilities.
Just as the Syngress Snort book is the definitive reference on unified output, the same books are authoritative for Barnyard. The purpose of this article is to show how the unified output can be transformed into something more analyst-friendly.
Barnyard supports a variety of output plugins. If you read my previous article, then many of these will be familiar:
First I'll demonstrate all of these except the ACID and Sguil plugins. I create a barnyard.conf file with the following:
config hostname: cel433 config interface: dc0 config filter: output alert_fast: alert_fast.by output log_dump: log_dump.by output alert_csv: /tmp/so/by/alert_csv.by output alert_syslog output alert_syslog2 output log_pcap: log_pcap.by
Next I test how Barnyard will process snort.alert.TIMESTAMP in batch mode using Barnyard's -R switch.
That looks good to me.
Working with unified output
Examining unified output
Unified output readers
Barnyard processing alerts
Barnyard processing logs
Barnyard working with databases
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.