[Snort-users] Mysql process stopping affects db writes after restart of mysql?

Dirk Geschke dirk at ...10648...
Thu Nov 11 00:21:03 EST 2004


Hi Dan,

> I noticed/tested that if mysql database process is stopped, snort (2.2)
> creates syslog errors that it can't write to database. Any new incidents
> seen by the probe do not get written to the database after that, but
> they do get logged in the tcpdump logfile. However, when I restart the
> mysql process, the incidents do not recover or get rewritten to the db
> (they are not spooled with error recovery) ...neither do new events
> after restarting mysql. It's as if I am going to have to restart snort
> on the probe to get logging into remote db successfully again. Anyone
> come across solutions for spooling alerts that don't make it into
> database and get snort to write to db without restarting snort? Does
> Barnyard handle this kind of recovery? 
> So basically, it looks like a stopped mysql process will cause pain and
> lost logging into db.

yes, this behaviour is correct. snort connects to the database only on
start up (or restart what is the same a ka SIGHUP). So there is no
mechanism to reconnect to the database if this is restarted.

I am not sure about barnyard, but I think it has a mechanism to
recover from such an event. Mudpit has this and FLoP can do this, too.

Best regards

Dirk




More information about the Snort-users mailing list