[Snort-users] Multiple sensors one database
Atkins, Dwane P
ATKINSD at ...9240...
Wed Apr 13 11:27:32 EDT 2011
I know have the sensor sending information to a centralized database. My issue was that we had added permissions to snort-sensor1 at ...15241... instead of 'snort'@'snort-sensor1.v60.mydomain.com'. I do have issues with my sensor2, but I believe that is a configuration issue.
TO complete this:
I execute mysql -u root -p <enter> and the root password on the server which host the centralize database. Type in use snort; and then I typed in GRANT ALL ON snort.* TO 'snort'@'snort-sensor1.v60.mydomain.com';. I typed in the same command for the sensor2. As soon as this happened, you could see the traffic passing.
Thanks to all for your help. I hope this will help someone later down the line.
I have defined my centralized database in the barnyard2.conf file.
From: Atkins, Dwane P [mailto:ATKINSD at ...9240...]
Sent: Tuesday, April 12, 2011 9:15 PM
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Multiple sensors one database
I think you are right on track with my desires. These two sensors need to send their alerts to a centralized mysql server on another device.
I really believe we are experiencing a permissions issue. We can ping each device so the connectivity via ICMP is there.
Each database, which I am not sure I need on the sensors, are called snort with identical setups with the exception of sensor_names and ip addresses.
I am at a loss and any help or thoughts would be appreciated.
--- From my iPhone. Dwane
On Apr 12, 2011, at 8:33 PM, "beenph" <beenph at ...11827...> wrote:
> On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
>> Good afternoon,
>> We are running two snort devices and attempting to get them both to record
>> to one mysql database.
>> Created database snort. Assigned permissions to sensor1 at ...15240... and
>> sensor2 at ...15242... I installed Snort 220.127.116.11 schema so that databases
>> would all look the same. Yes, I did have a single mysql database on each
>> sensor but was told in that in order to run a particular Application, I
>> would need a single database.
>> We are using Snort 18.104.22.168 on Ubuntu 10.04.01 LTS. We are using Barnyard2.
>> In the Barnyard2.conf file, we have an entry, "output database: log, mysql,
>> user=snort password=snortpass dbname=snort host=10.10.12.1
>> sensor_name='sensor1' and have an identical entry for the second sensor.
>> I have not made any configuration changes the my.cnf. It currently binds to
>> 127.0.0.1 but should I have it bind to the Master
>> # Instead of skip-networking the default is now to listen only on
>> # localhost which is more compatible and is not less secure.
>> bind-address = 10.10.12.1
>> Is there anywhere else I need to check? Do I need to shutdown mysql on each
>> sensor now?
>> Thank you
> I am not sure i clearly understand your statement, but on your second
> sensor you should
> have sensor_name='sensor2', since if i remember well the "acid" schema
> will use that to identify
> last_cid and you could run into sync trouble if you run two sensor who
> use the same event counter.
> On the other hand as i stated i am not sure i undersand completly your
> ultimate goal beside probably
> using a database on a separate system, if thats so then you should
> update both barnyard config to
> point to your new database and from there restart barnyard and it
> should be logging to the "centralized" database.
Forrester Wave Report - Recovery time is now measured in hours and minutes
not days. Key insights are discussed in the 2010 Forrester Wave Report as
part of an in-depth evaluation of disaster recovery service providers.
Forrester found the best-in-class provider in terms of services and vision.
Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users