[Snort-users] data table full in MYSQL

Roman Danyliw roman at ...438...
Tue Oct 16 10:36:22 EDT 2001


Mike,

A couple of clarifications:

- If you deleted events from the database manually, make sure to delete
the corresponding information from all tables (i.e. event, iphdr,
tcphdr/icmphdr/udphdr, data, opt).  Otherwise, the database will be left
in an inconsistent state.

- the event cache does not store any data on the packet payload

Assuming you have deleted a number of alerts from the database without
using ACID, the cache will need to be rebuilt.  Issue the following
command from the mysql command line:

mysql> DELETE FROM acid_event;

This command will delete the entire cache.  To recreate it, use the
maintenance page or simply enable auto-updating of the event cache.

Roman

On Tue, 16 Oct 2001, Reeves, Michael (GEAE, Compaq) wrote:

> Ok,
>
>
>       database: mysql_error: The table 'data' is full
>
> my data.MYD is 4.2 gigs :) I killed a bunch of events from the acid
dbase
> but no dice. It looks like it is pulling them into cache but not
deleting
> them from the data.myd directory. The user has full rights over the
dbase.
> Also when I go into cache and status is says there are 300,000+ alerts
but
> only 56000 cached events. I update the alert cache and it says 0 alerts
> added. I am not sure of how the process works. Should I wipe the DB and
> start over?
>
> Mike






More information about the Snort-users mailing list