[Snort-users] Multiple sensors one database
beenph at ...11827...
Wed Apr 13 13:06:02 EDT 2011
Im glad that you figured it out but it seemd to be more a db issue
than a snort/BY2 issue and as you said this will probably leave traces
if someone has similar issue.
On Wed, Apr 13, 2011 at 11:27 AM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
> I know have the sensor sending information to a centralized database. My issue was that we had added permissions to snort-sensor1 at ...15241... instead of 'snort'@'snort-sensor1.v60.mydomain.com'. I do have issues with my sensor2, but I believe that is a configuration issue.
> TO complete this:
> I execute mysql -u root -p <enter> and the root password on the server which host the centralize database. Type in use snort; and then I typed in GRANT ALL ON snort.* TO 'snort'@'snort-sensor1.v60.mydomain.com';. I typed in the same command for the sensor2. As soon as this happened, you could see the traffic passing.
> Thanks to all for your help. I hope this will help someone later down the line.
> I have defined my centralized database in the barnyard2.conf file.
> -----Original Message-----
> From: Atkins, Dwane P [mailto:ATKINSD at ...9240...]
> Sent: Tuesday, April 12, 2011 9:15 PM
> To: beenph
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Multiple sensors one database
> I think you are right on track with my desires. These two sensors need to send their alerts to a centralized mysql server on another device.
> I really believe we are experiencing a permissions issue. We can ping each device so the connectivity via ICMP is there.
> Each database, which I am not sure I need on the sensors, are called snort with identical setups with the exception of sensor_names and ip addresses.
> I am at a loss and any help or thoughts would be appreciated.
> Thank you
> --- From my iPhone. Dwane
> On Apr 12, 2011, at 8:33 PM, "beenph" <beenph at ...11827...> wrote:
>> On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
>>> Good afternoon,
>>> We are running two snort devices and attempting to get them both to record
>>> to one mysql database.
>>> Created database snort. Assigned permissions to sensor1 at ...15240... and
>>> sensor2 at ...15242... I installed Snort 18.104.22.168 schema so that databases
>>> would all look the same. Yes, I did have a single mysql database on each
>>> sensor but was told in that in order to run a particular Application, I
>>> would need a single database.
>>> We are using Snort 22.214.171.124 on Ubuntu 10.04.01 LTS. We are using Barnyard2.
>>> In the Barnyard2.conf file, we have an entry, "output database: log, mysql,
>>> user=snort password=snortpass dbname=snort host=10.10.12.1
>>> sensor_name='sensor1' and have an identical entry for the second sensor.
>>> I have not made any configuration changes the my.cnf. It currently binds to
>>> 127.0.0.1 but should I have it bind to the Master
>>> # Instead of skip-networking the default is now to listen only on
>>> # localhost which is more compatible and is not less secure.
>>> bind-address = 10.10.12.1
>>> Is there anywhere else I need to check? Do I need to shutdown mysql on each
>>> sensor now?
>>> Thank you
>> I am not sure i clearly understand your statement, but on your second
>> sensor you should
>> have sensor_name='sensor2', since if i remember well the "acid" schema
>> will use that to identify
>> last_cid and you could run into sync trouble if you run two sensor who
>> use the same event counter.
>> On the other hand as i stated i am not sure i undersand completly your
>> ultimate goal beside probably
>> using a database on a separate system, if thats so then you should
>> update both barnyard config to
>> point to your new database and from there restart barnyard and it
>> should be logging to the "centralized" database.
> Forrester Wave Report - Recovery time is now measured in hours and minutes
> not days. Key insights are discussed in the 2010 Forrester Wave Report as
> part of an in-depth evaluation of disaster recovery service providers.
> Forrester found the best-in-class provider in terms of services and vision.
> Read this report now! http://p.sf.net/sfu/ibm-webcastpromo
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users