[Snort-users] snort events not written by barnyard2 to snorby database

Herbert Groot Jebbink herbert at ...15681...
Sat Jun 23 06:16:47 EDT 2012


Hi,

I have setup snort, barnyard & snorby on a ubuntu 12.4 box, all seems
ok, however the events generated by snort are not written to the mysql
database.

---- below the setup in snort.conf

output alert_unified2: filename alert, limit 128

----- below the barnyard2 config

config reference_file:	    /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:	    /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, user=snorby password=snorby dbname=snorby
host=localhost

---- below the barnyard startup command in /etc/init.d/barnyard2

barnyard2 -d /var/log/snort -f alert > /var/log/barnyard2/start.log 2>&1

---- below the stdout from above barnyard job
---------------------------------------------------

Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"
Log directory = /var/log/barnyard2/
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snorby
database:  database name = snorby
database:    sensor name = gozo:NULL
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/var/log/barnyard2/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = alert
    time_stamp      = 1340435023
    record_idx      = 83
Opened spool file '/var/log/snort/alert.1340435023'
Waiting for new data
===============================================================================
Record Totals:
   Records:          320
    Events:          320 (100.000%)
   Packets:            0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0
===============================================================================

Kind Regards, Herbert




More information about the Snort-users mailing list