Barnyard2: WARNING: Can't extract timestamp from...

[crice01]

Install went OK, but all I get from barnyard2 is:

WARNING: Can't extract timestamp from 'merged.log' using base 'merged.log'

Any ideas how to correct this issue?

[Morpheus]

The error indicates that Barnyard2 is having an issue with the time stamp on the snort.log file.

Log file name Example: merged.log.1377185664

If there is no time stamp on the d:/winids/log/merged.log file then check  the snort.conf lines below for accuracy.

Original Line(s): # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
Change to: output unified2: filename merged.log, limit 128

[crice01]

OK, that got me working!

I had: 'output unified2: filename merged.log, limit 128 #, nostamp, mpls_event_types, vlan_event_types' in my snort configuration.

Removing the '#, nostamp, mpls_event_types, vlan_event_types' portion has made everything much happier.

Thanks for your help.

[Morpheus]

No problem...

[jgreninger]

Hi there,

I just upgraded to Snort 2.9.7.3 and I have this issue.  I followed the recommended fix but it didn't resolve the issue.  Anything else it could be?  I was wondering if perhaps it could be that barnyard2 needs to be rebuilt for 2.9.7.3?

Here's my config...

snort.conf

[Morpheus]

On ‎5‎/‎26‎/‎2015 at 8:33 PM, jgreninger said:

Hi there,

I just upgraded to Snort 2.9.7.3 and I have this issue.  I followed the recommended fix but it didn't resolve the issue.  Anything else it could be?  I was wondering if perhaps it could be that barnyard2 needs to be rebuilt for 2.9.7.3?

Here's my config...

snort.conf

 

Not real sure about some of you configurations. It appears you are using an outdated snort.conf file. You will need to retrieve a stock snort.conf and configure. Do not activate the SO rules as they are not compatable with Windows.

Delete all the files in snort/logs prior to restarting.