I am currently using snort-2.9.3.1 outputting unified2 log format and using barnyard2-1.9 to process the alerts and send them to both syslog and a database. In some cases I have multiple instances of snort running on the same host and would like to log them separately.
Is there a way to configure barnyard2 such that depending on the input file name it will take different actions.
Something like,
[snortmain_unified.log]
output alert_syslog: LOG_AUTH LOG_ALERT
[snortsecondary_unified.log
output alert_syslog: LOG_LOCAL1 LOG_ERR
I am hoping to avoid running multiple instances of barnyard2.
