[Snort-users] Barnyard2 database failures

beenph beenph at ...11827...
Sun Dec 30 11:54:54 EST 2012


And do you use something to stop barnyard2 periodically and restart it?

Like a wrapper to pulled pork?
Would it be possible that your databaser server stop and restart?
Do you have database logs?

With the 2-1.1x code changes where made to the output plugin so that if a
event is not logged, its not logged at all with 2-1.9 and historically
before each of those
insertion where done serially instead of being wrapped in a transaction
bloc so if it was failing halfway you could find some information that was
logged incompletly.

So for this to happen offent, there is probably something arround by2 that
would be causing/triggering the issue.

Do you do a backup operation on your database?

Oh and this should have nothing to do with snort just to get back to the
initial questionning.

Snort log to unified2 and by2 process the unified2 file so there is no link
betwen the database and
snort.

-elz




On Sun, Dec 30, 2012 at 11:43 AM, Dave Corsello <
snort-users at ...15598...> wrote:

> Hi elz,
>
> Thanks for your reply.  On each sensor, barnyard2 is configured with a
> unique hostname, so that there are two sensors in the sensor table, and
> there's only one instance of Barnyard2 running on each sensor.
>
> --Dave
>
>
> On 12/29/2012 8:54 PM, beenph wrote:
>
>> Hi dave,
>> In both of your barnyard2 configuration do you use
>> different information so that you have two sensor
>> in your sensor table?
>> Because if you use the same information, then it would
>> be seen as 1 sensor and you could hit a race condition
>> which could lead to this.
>> So i would make sure that you both barnyard2 instances have different
>> information,
>> and also make sure that you do not have an other barnayrd2 process in the
>> backgroud .
>> Mabey launched by a startup script etc.
>> This error would only happen if the transaction fail (duplicate key) or
>> if your database die,
>> i suspect you have an other process also inserting and this is why your
>> hitting this condition.
>> -elz
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121230/88ad5d63/attachment.html>


More information about the Snort-users mailing list