[Snort-users] [barnyard2-users] Fatal error after upgrading barnyard2

Miguel Alvarez miguellvrz9 at ...11827...
Sat Sep 29 11:34:07 EDT 2012


On Sat, Sep 29, 2012 at 5:18 PM, beenph <beenph at ...11827...> wrote:
> On Sat, Sep 29, 2012 at 11:03 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>> Hi Eric,
>>
>> On Sat, Sep 29, 2012 at 4:28 PM, beenph <beenph at ...11827...> wrote:
>>> On Sat, Sep 29, 2012 at 2:43 AM, Miguel Alvarez <miguellvrz9 at ...11827...> wrote:
>>>> Good morning,
>>>>
>>>> I upgraded barnyard2 earlier this week to the 1.10 final from beta2
>>>> (thank you, elz!) and realized that some of my by2 processes had died.
>>>>  Looking in the logs, I see these from the MySQL output plugin for my
>>>> Snorby instance:
>
> Re-Hoi Miguel,
>
> Was this message taken from the system syslog?
> And did you have previous message that would complement the following?
>
> We added some verbosity and i find it curious that there is no
> companion message. (failed execution path)

You're right, I apologise, that was not the complete message.  It is:

Sep 29 04:11:17 nids12 barnyard2[28536]: Failed to archive file
"/var/log/snort/eth7/snort.u2.1348805013" to
"/var/log/snort/eth7/snort.u2.1348805013": File exists
Sep 29 04:11:17 nids12 barnyard2[28536]: Closing spool file
'/var/log/snort/eth7/snort.u2.1348805013'. Read 1223 records
Sep 29 04:11:17 nids12 barnyard2[28536]: Opened spool file
'/var/log/snort/eth7/snort.u2.1348868147'
Sep 29 04:11:33 nids12 barnyard2[28536]: Failed to archive file
"/var/log/snort/eth7/snort.u2.1348868147" to
"/var/log/snort/eth7/snort.u2.1348868147": File exists
Sep 29 04:11:33 nids12 barnyard2[28536]: Closing spool file
'/var/log/snort/eth7/snort.u2.1348868147'. Read 68 records
Sep 29 04:11:33 nids12 barnyard2[28536]: Opened spool file
'/var/log/snort/eth7/snort.u2.1348891432'
Sep 29 04:11:33 nids12 barnyard2[28536]: Waiting for new data
Sep 29 04:12:17 nids12 snort[28506]: S5: Pruned session from cache
that was using 1125030 bytes (closed normally). x.x.x.x 59047 -->
x.x.x.x 80 (0) : LWstate 0x9 LWFlags 0x60e007
Sep 29 04:13:03 nids12 barnyard2[28532]: FATAL ERROR: database
mysql_error: Duplicate entry '6-217828' for key 'PRIMARY'
        SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES
(6, 217828, 36, '2012-09-29 04:13:02');]

>>>> Sep 29 03:27:49 nids12 barnyard2[18511]: FATAL ERROR: database
>>>> mysql_error: Duplicate entry '16-78634' for key 'PRIMARY'
>>>
>>
>> Yes, that's the complete message, there is no table name given in the log.
>
>
> When you updated did you clean your reference and sig_reference table?

No, I didn't clean anything out -- I suppose I should have since you're asking?

> How many sensor do you have?

20

> Are you sure that if you have N sensor that they all have their unique
> config and that they would not overlap using
> the same sensor id?

I haven't had any problems up until now and things have been going
fine for almost a year.

>>>> I tried removing all existing logs files in case waldo was getting
>>>> lost and trying to re-insert already sent records but that didn't seem
>>>> to be it.  What can I do to resolve this problem?
>>>
>>> How you by2 config file look like?
>>
>> config utc
>> config reference_file:      /etc/snort/reference.config
>> config classification_file: /etc/snort/classification.config
>> config gen_file:            /etc/snort/gen-msg.map
>> config sid_file:            /etc/snort/sid-msg.map
>> config daemon
>> config set_gid: 500
>> config set_uid: 500
>> config umask: 066
>> config verbose
>> config reference_net: 10.0.0.0/8
>> input unified2
>> output alert_fast: alert
>> output database: log, mysql, user=x password=x dbname=x host=x.x.x.x
>> sensor_name=x
>>
>
> On a side note,
>
> If you have output database and you run in daemonized mode, you might
> want to remove output alert_fast since it would be
> working for nothing, not that this has something to do with with the issue.

Thank you, Eric.  I actually do something else with that log.




More information about the Snort-users mailing list