With ever-increasing network traffic and gigabit networks becoming more and more prevalent, the need for Snort to shed "unnecessary" processes became apparent. It is much faster for Snort to write its logs to a straight binary format, than for Snort to take the alert data it has already processed, parse that data to text, then format it to a human-readable output format (such as writing to a database or to a text log file). What unified logging buys you is a faster, more efficient Snort IDS system: Snort handles what it's supposed to, and Barnyard "prettifies" Snort's data.
Barnyard does what's known in the world of Snort as "post-processing."
Was this article helpful?