Actually Trisul reads alerts from the Unix Socket not from the unified2.* logs.
Do you see a file called barnyard2_alert in the following directory ?
/nsm/sensor_data/host-eth1/
Once again, the file should be called /nsm/sensor_data/host-eth1/barnyard2_alert
This is the unix socket into which barnyard2 writes alert data into. You then point Trisul to read from this socket
<IDSAlerts>
<Enabled>True</Enabled>
<UnixSocket>/nsm/sensor_data/host-eth1/barnyard2_alert</UnixSocket>
<SnortVersion>2.9+</SnortVersion>
</IDSAlerts>
If you are running Security Onion maybe this blog post might help you get going.
www.unleashnetworks.com/blog/?p=322
Thanks,