[Snort-users] Barnyard2 not writting to Mysql snorby DB

Michael Green Michael.Green at ...4098...
Tue Jun 5 00:17:18 EDT 2012


I've just configured snort Version in a test environment in preparation for upgrading my production server.

I have it configured for unified2 output and have barnyard2 configured to output to mysql:

##  /etc/snort/p1p1/barnyard2.conf
output database: log, mysql, user=xxx password=password dbname=snorby host= port=3306

My snort start command:
/usr/local/bin/snort -u snort -g snort -i p1p1 -c /etc/snort/p1p1/snort.conf -D

My barnyard2 start command:
/usr/local/bin/barnyard2 -c /etc/snort/p1p1/barnyard2.conf -u snort -g snort -d /var/log/snort/p1p1 -f snort.log -w /var/log/snort/p1p1/waldo -D

Snort is alerting:
New-ids 13:37:02 /var/log/snort/p1p1
root # ls -la /var/log/snort/p1p1
total 24
drwxr-xr-x. 2 snort snort 4096 Jun  5 11:05 .
drwxr-xr-x. 3 snort snort 4096 Jun  1 14:34 ..
-rw-------. 1 snort snort   96 Jun  5 10:18 snort.log.1338854746
-rw-------. 1 snort snort 8011 Jun  5 12:43 snort.log.1338857440
-rw-r--r--. 1 snort snort 2056 Jun  5 12:43 waldo

And Barnyard2 is seeing the alerts. Relevant section from /var/log/messages follows:
Jun  5 11:14:30 New-ids barnyard2[1995]: database: using the "log" facility
Jun  5 11:14:30 New-ids barnyard2[1995]:
Jun  5 11:14:30 New-ids barnyard2[1995]:         --== Initialization Complete ==--
Jun  5 11:14:30 New-ids barnyard2[1995]: Barnyard2 initialization completed successfully (pid=1995)
Jun  5 11:14:30 New-ids barnyard2[1995]: Using waldo file '/var/log/snort/p1p1/waldo':#012
      spool directory = /var/log/snort/p1p1#012
      spool filebase  = snort.log#012
      time_stamp      = 1338857440#012
      record_idx      = 0
Jun  5 11:14:30 New-ids barnyard2[1995]: Opened spool file '/var/log/snort/p1p1/snort.log.1338857440'
Jun  5 11:14:30 New-ids barnyard2[1995]: Waiting for new data

But nothing is being written to my mysql snorby DB?

I can log into mysql using the required credentials
mysql -u xxx -p snorby

but nothing is written.
mysql> select * from event;
Empty set (0.00 sec)

I'm now lost, and would appreciate some guidance. What should I do next?


Michael Green | Senior Network Engineer | GBST
[Description: GBST]<http://www.gbst.com/>

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and / or privileged material that may be governed by confidential information provisions contained in the agreement between GBST and your company. Any disclosure, copying, distribution, or other use without the express consent of the sender is prohibited. If you received this in error, please contact the sender and delete the material from any computer. All rights in the information transmitted, including copyright, are reserved. Nothing in this message should be interpreted as a digital signature that can be used to authenticate a document. No warranty is given by the sender that any attachments to this email are free from viruses or other defects.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120605/ce3cb64c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 70 bytes
Desc: image001.gif
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120605/ce3cb64c/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 1664 bytes
Desc: image002.gif
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120605/ce3cb64c/attachment-0001.gif>

More information about the Snort-users mailing list