Note:
If there was ever a time when I was over-thinking a problem this was certainly one of those times! I've edited this post to summarize the original research and include the unbelievably simplistic solution.
I run a number of Sguil deployments, of which some are on hardware that is extremely under-utilized, so I set out to determine what it would take to run multiple Sguil deployments on the same server.
The required configuration changes were relatively simple for most of the processes (Sguil agents, Snort, DaemonLogger, PADS, Barnyard) until I got to SANCP. The FreeBSD package at the time of this writing (v1.6.1_4) doesn't utilize a PID file, nor does it have a configuration option for defining one. This makes it very difficult to run multiple instances since without a PID file the rc.subsystem defaults to checking for the process name in the process table; thus leading to sancp already running? errors.
Continue reading HowTo: Multiple Instances of SANCP.
