For those who come along after me, or for a bored Sourcefire TA maintainer, something to consider is that the syslog messages may not always include the PID after the process name, which was the problem in this case after I switched to syslog, rather than fast alert.
After switching to using Syslog I still had issues, sending directly or to a local file. I don't believe Barnyard2 supports including the PID (it reads from unified2, which doesn't include the PID of the snort process that wrote it, as far as I can tell). So your only option is to either modify transforms.conf to make the [$PID] part optional or to modify your snort config to use the following output:
output alert_syslog: LOG_AUTH LOG_ALERT log_pid
Here's how the alert looked after that configuration change:
Jul 16 03:46:53 onion snort[18235]: [1:2100498:8] GPL ATTACK_RESPONSE id check returned root [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.100.101:34347
And if you wanted to change your transforms.conf, the following should do the trick, but I haven't tested it:
[signature_for_snort]
REGEX = snort(?:\[\d+\])?\:\s+\[[^\]]+\]\s+(.*?)(\s+\[Classification|\[Priority)
FORMAT = signature::"$1"
[signature_id_for_snort]
REGEX = snort(?:\[\d+\])?\:\s+\[([^\]]+)
FORMAT = signature_id::"$1"
... View more