I am beginning to migrate my snort logging from alert_syslog to unified2 using barnyard2 as the processor. In some cases I have multiple instances of snort running on the same system. Since I have historically used syslog, it handled the multiple log input without problem, however with the switch to unified2 I am concerned about write collisions.
Currently, I am using the same snort.conf for each instance, and managing the separate instances in /etc/sysconfig/snort. Primarily for simplicity of configuration, and partially for development time on my part, I would like to be able to maintain the same snort.conf. Which, of course, means having all instances writing to the same unified log file.
I am concerned about write collisions as multiple processes attempt to write to the same file. Is this a known safe approach with snort? Are the write methods used by the unified2 output processor thread safe? Can anyone comment on the likelihood of total protonic reversal by doing this?
