[Snort-users] [snort-mysql] logging OK to logfile, not to mysql database

Michael Steele michaels at ...9077...
Wed Dec 3 21:37:01 EST 2003


Try manually running Snort with your existing run line but tag a -T to the
end. This might give you what you need to know.

Also try a tcpdump on the port to make sure the alerts are actually getting
to the database.

Cheers...

-The WINSNORT.com Management Team
-- 
 Pick up your FREE Windows or UNIX Snort installation guides       
 mailto:support at ...9077...
 Website: http://www.winsnort.com
 Snort: Open Source Network IDS - http://www.snort.org


> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-
> admin at lists.sourceforge.net] On Behalf Of Josh Berry
> Sent: Wednesday, December 03, 2003 9:05 PM
> To: Michel Christophe
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] [snort-mysql] logging OK to logfile, not to
> mysql database
> 
> Have you tested running the snort instance without using daemon mode (-D)
> and watching to see if snort complains?  If so are you getting any errors
> with snort?  Does it say that it has connected?
> 
> > Hello
> >
> > I am desperately trying to log snort output to a mysql database (dual
> > logging across a vpn will come later). Snort logging to its classical
> > log files (/var/log/snort/snortfiles i am running Mandrake) works
> > perfectly. But the recently created mysql 'snort' database remains
> > desperately empty although I had number of alerts since that time.
> >
> > the snort database was created according to snort-2.0.1 documentation as
> > follows:
> >
> > % echo "CREATE DATABASE snort;" | mysql -u root -p
> >
> > then, logging to mysql as mysql-root user, I have done the following
> > privileges changes on the snort database:
> >
> > mysql> grant INSERT,SELECT on snort.* to snortusr at ...274...;
> > Query OK,  rows affected (0.04 sec)
> >
> > mysql> grant INSERT,SELECT,UPDATE on snort.sensor to snortusr at ...274...;
> > Query OK,  rows affected (0.01 sec)
> >
> > as you see, no errors were seen
> >
> > Afterwards, I have created the snort database structure, as root, using
> > the /usr/share/doc/snort-2.0.1/create_mysql script, with no errors at
> > the output
> >
> > of course, both snort and mysql have been restarted afterwards
> >
> > But still no logging, at all, the snort db remains empty, although text
> > logging in /var/log/snort goes on
> >
> > here is the corresponding /etc/snort.conf section
> > (...)
> > output log_tcpdump: tcpdump.log
> > (...)
> > output database: log, mysql, user=snortusr password=XXXX dbname=snort
> > host=localhost encoding=hex detail=full
> > (...)
> > Can I keep logging to files while using MySQL at the same time ? Can
> > this lead to errors ?
> >
> > here are the versions of the softwares I use:
> >
> > MySQL-common-4.0.11a-5.1mdk
> > MySQL-client-4.0.11a-5.1mdk
> > MySQL-4.0.11a-5.1mdk
> > libmysql10-3.23.56-1.4mdk
> > libmysql12-4.0.11a-5.1mdk
> > snort-2.0.0-2.1mdk
> > snort-mysql-2.0.0-2.1mdk
> >
> > Thanks for clues.
> >
> > --
> > Michel Christophe <tofm2 at ...1855...>
> >
> 
> 
> Thanks,
> Josh Berry, CTO
> LinkNet-Solutions
> 469-831-8543
> josh.berry at ...10268...
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by OSDN's Audience Survey.
> Help shape OSDN's sites and tell us what you think. Take this
> five minute survey and you could win a $250 Gift Certificate.
> http://www.wrgsurveys.com/2003/osdntech03.php?site=8
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users







More information about the Snort-users mailing list