[Snort-users] [barnyard2-users] Fatal error after upgrading barnyard2
beenph at ...11827...
Sat Sep 29 11:18:24 EDT 2012
On Sat, Sep 29, 2012 at 11:03 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
> Hi Eric,
> On Sat, Sep 29, 2012 at 4:28 PM, beenph <beenph at ...11827...> wrote:
>> On Sat, Sep 29, 2012 at 2:43 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>>> Good morning,
>>> I upgraded barnyard2 earlier this week to the 1.10 final from beta2
>>> (thank you, elz!) and realized that some of my by2 processes had died.
>>> Looking in the logs, I see these from the MySQL output plugin for my
>>> Snorby instance:
Was this message taken from the system syslog?
And did you have previous message that would complement the following?
We added some verbosity and i find it curious that there is no
companion message. (failed execution path)
>>> Sep 29 03:27:49 nids12 barnyard2: FATAL ERROR: database
>>> mysql_error: Duplicate entry '16-78634' for key 'PRIMARY'
> Yes, that's the complete message, there is no table name given in the log.
When you updated did you clean your reference and sig_reference table?
How many sensor do you have?
Are you sure that if you have N sensor that they all have their unique
config and that they would not overlap using
the same sensor id?
>>> I tried removing all existing logs files in case waldo was getting
>>> lost and trying to re-insert already sent records but that didn't seem
>>> to be it. What can I do to resolve this problem?
>> How you by2 config file look like?
> config utc
> config reference_file: /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file: /etc/snort/gen-msg.map
> config sid_file: /etc/snort/sid-msg.map
> config daemon
> config set_gid: 500
> config set_uid: 500
> config umask: 066
> config verbose
> config reference_net: 10.0.0.0/8
> input unified2
> output alert_fast: alert
> output database: log, mysql, user=x password=x dbname=x host=x.x.x.x
On a side note,
If you have output database and you run in daemonized mode, you might
want to remove output alert_fast since it would be
working for nothing, not that this has something to do with with the issue.
More information about the Snort-users