[Snort-users] please help - ACID: "Ignored XXX duplicate even ts" on archive

Cloppert, Michael Michael.Cloppert at ...5884...
Tue Aug 27 07:53:05 EDT 2002

Has anyone come up with any sort of a way to resolve this issue?  Our
acid-archive database is still completely useless, and I really need a way
to fix this.  ANY help would be appreciated.  And to address a previous
question, yes, my acid_conf.php is configured correctly:
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "xxxx";
/* Archive DB connection parameters */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "xxxx";
Thanks in advance,

-----Original Message-----
From: Luca Tampieri [mailto:Luca.Tampieri at ...5851...]
Sent: Tuesday, August 20, 2002 12:48 PM
To: Cloppert, Michael; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] please help - ACID: "Ignored XXX duplicate
events" on archive

We had the same problem yesterday, 
I have seen that our database-archive was full, or i think so (i don't know
mysql well), 

mysql> show table status; 

shows that 'Max_data_length' and 'Index_length' was about the same for table
so i have done a new archive, i have set it in acid_conf ($archive_dbname)
and now i trying to move alerts in this db. 

I will have the results of this test only later because my ACID is very
slow, but until now is all right. 

Note:we use snort1.8.6 and FreeBSD4.6. 

Hope help. 

"Cloppert, Michael" wrote: 

I'm having a problem with ACID's "Archive Alerts (move)" and "Archive Alerts

(copy)".  All events I try to archive give the error "Ignored XXX duplicate 
events".  These are not duplicate events - I even verify this by running my 
version of ACID that queries the snort-archive database and I can't find the

alerts.  As a matter of fact, this action hasn't been successful for more 
than 2 weeks now.  I have no idea what I may have changed to cause this 

I'm running Snort 1.8.7 on RHL7.3, latest version of ACID, mysql, etc... 

This is a HUGE problem for us, as we rely heavily on ACID's archiving 
ability for maintenance.  Any help would be appreciated. 


This sf.net email is sponsored by: OSDN - Tired of that same old 
cell phone?  Get a new here for FREE! 
Snort-users mailing list 
Snort-users at lists.sourceforge.net 
Go to this URL to change user options or unsubscribe: 
Snort-users list archive: 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020827/a9ca2225/attachment.html>

More information about the Snort-users mailing list