[Snort-users] Snort 2.0.0 logging to MySQL, but nothing in ACID???

Kevin Johnson kjohnson at ...12400...
Tue Oct 19 16:11:49 EDT 2004

On Tue, 2004-10-19 at 16:29, Williams Jon wrote:
> I'm having a pretty bad brain fart.  Some time this morning, one of our
> ACID consoles stopped working.  We've confirmed that all of our sensors
> are seeing data and generating alerts, that the MySQL port is open
> between all of the sensors and the DB server, that MySQL is running and
> accepting connections on the port the sensors are connecting to, and
> that the sensors are writing data to the database.
> When I go into ACID, it shows no alerts and no sensors, but if I click
> on the "Application cache and status" link, the Alert Information Cache
> section shows the correct number of alerts under "Total Events".
> Clicking on "Repair Tables" and "Update Alert Cache" have no effect on
> the problem, nor did restarting the web server, MySQL server, and
> rebooting the box.
> Fortunately, we've got a second DB server.  When we repointed the
> sensors to the second server, everything works fine there.
> While I was logged into the box around the time that the problem
> occurred, and there were no other users logged in at all since before
> the problem, I have no clear recollection of any actions that had
> anything to do with PHP, the web server, ACID, or MySQL.
> Any suggestions?  Any idea how I shot myself in the foot?
> Thanks.
> Jon


If you access the original database server directly, are the alerts
still there?  Is there anything in the logs?  I would set the two below
variables in acid_conf.php if you can't find anything else....
        $sql_trace_mode = 0;
        $sql_trace_file = "";

Feel free to respond with any more information and I can try to help.
BASE Project Lead
The next step in IDS analysis!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20041019/a63f439f/attachment.sig>

More information about the Snort-users mailing list