Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »



    Pigsty is designed as a replacement for Barnyard2. It's written in Javascript using Node.js.


    We wanted something that was a little more extensible than Barnyard2. Thus, Pigsty was born.

    Pigsty's output architecture is plugin based. You must install Pigsty, then install and configure any output plugins you need.



    Pigsty requires libpcap (apt get install libpcap-dev on ubuntu). You also need to install node.js for your platform. We recommend v.10.x. Instructions for doing so are here:

    Ordinary people

    $ install node.js for your platform
    $ npm install pigsty -g
    $ sudo pigsty setup
    $ <edit /etc/pigsty/pigsty.config.js>
    $ npm install pigsty-<pluginname> -g   # repeat for any plugins you need
    $ pigsty                               # run pigsty!

    For developers

    $ install node.js for your platform
    $ git clone
    $ cd ./pigsty && npm install
    $ pigsty setup                         # setup your config. 
    $ ./bin/pigsty 

    Output Plugins

    Currently, the following plugins are available:

    To install, type npm install <plugin> -g, e.g. npm install pigsty-mysql -g


    To upgrade pigsty to the latest version, run npm update -g pigsty.

    To upgrade any output plugin, please run npm update -g <plugin_name>.


             ,' /, )_______   _
          __j o``-'        `.'-)'
         (")                 '
          `-j                |
            `-._(           /
               |_  |--^.  /
              /_]'|_| /_)_/
                 /_]'  /_]'
        Pigsty by Threat Stack, Inc
       Usage: pigsty [-options]
         -c, --config     Pigsty configuration file. Default path: /etc/pigsty.config.js
         -D, --daemon     Run Pigsty in daemon mode.
             --validate   Check your Pigsty configuration file for errors.
       -P, --pid        Specify a pid file (daemon mode only).
         -V, --verbose    Turn on verbose logging.
         -v, --version    Application version.
         -h, --help       Application usage.
       Sensor Information:
         -n, --name       Sensor name.
         -i, --interface  Sensor interface.
       Log Configurations
         -d, --dir        Log directory.
         -m, --match      Logs file must match express to be processed.
         -M, --mode       Processing mode (continuous|read). Default: continuous
         -b, --bookmark   Bookmark file path.
         -R, --reference        Reference file.
         -C, --classification   Classification file.
         -G, --gen-msg file.
         -S, --sid-msg file.
         Example: pigsty -i en1 -n "Pigsty" -d /logs/ -m unified2.alert.* -c ~/pigsty.config.js -D

    Configuration Options in pigsty.config.js

    Enable Archiving

    Add a section 'archiver' under logs to enable archving to an alternative directory after processing.

    logs: {
       archiver: {
         action: 'move',  // can also be 'delete' 
         dst: '/tmp/snort/processed' // where to move logs 


    Currently, the unified2 spooler reads at about 7000eps. Running w/ the pigsty-mysql output plugin, you'll get ~1000eps. This should be more than adequate for most installations, but we're actively working to make this faster.



    To write your own output plugin, please refer to:

    Full documentation on writing plugins coming soon.



    Q. Can't install; npm install pigsty -g is reporting pcap errors:
    make: Entering directory `/usr/lib/node_modules/pigsty/node_modules/unified2/node_modules/pcap/build'
      CXX(target) Release/
    ../ fatal error: pcap/pcap.h: No such file or directory
    compilation terminated.
    make: *** [Release/] Error 1
    make: Leaving directory `/usr/lib/node_modules/pigsty/node_modules/unified2/node_modules/pcap/build'
    gyp ERR! build error
    gyp ERR! stack Error: `make` failed with exit code: 2
    gyp ERR! stack     at ChildProcess.onExit (/usr/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:267:23)
    gyp ERR! stack     at ChildProcess.EventEmitter.emit (events.js:98:17)
    gyp ERR! stack     at Process.ChildProcess._handle.onexit (child_process.js:789:12)
    gyp ERR! System Linux 3.5.0-17-generic
      SOLINK_MODULE(target) Release/

    A. Make sure you install libpcap

    Q. I installed pigsty using npm install pigsty -g but I don't have the pigsty binary

    A. Usually, it will get symlinked to /usr/bin. Depending on your platform, npm bin/ path is probably not in your path.
    You can look for it using find / -name "pigsty".


    Use the git issues, or send an email to


    Copyright (C) 2013 Threat Stack, Inc (

    This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

    This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

    You should have received a copy of the GNU General Public License along with this program. If not, see




    npm i pigsty

    Downloadsweekly downloads








    last publish


    • avatar