[Snort-users] [barnyard2-users] Fatal error after upgrading barnyard2

beenph beenph at ...11827...
Sat Sep 29 11:45:04 EDT 2012

>> Re-Hoi Miguel,
>> Was this message taken from the system syslog?
>> And did you have previous message that would complement the following?
>> We added some verbosity and i find it curious that there is no
>> companion message. (failed execution path)
> You're right, I apologise, that was not the complete message.  It is:
> Sep 29 04:13:03 nids12 barnyard2[28532]: FATAL ERROR: database
> mysql_error: Duplicate entry '6-217828' for key 'PRIMARY'
>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES
> (6, 217828, 36, '2012-09-29 04:13:02');]

Well the only way i can see that a by2 process would be re-using the same
event_id, is that there would be some colision on sensor_id.

2-1.10 at initialization will query every table to get the latest
event id, and increment it,
update the sensor table and start inserting.

Every db call in 2-1.10 is isolated in a transaction, thus if this
happen it means that something  else with the same sensor_id
inserted before failing transaction was executed.

I know this might sound wierd and that you "never had issue" but i
would start looking a making sure that all
your by2 process have different sensor_id and that they are configured
to collide with an other process.

An other thing i would look at is if you have on some system a by2
process running in the background that would
conflict with your "frontman process". Mabey a process didin't
terminate as expected or was started from an other
mechanism and is still running.

Which could explain:

>Sep 29 04:11:17 nids12 barnyard2[28536]: Failed to archive file
> "/var/log/snort/eth7/snort.u2.1348805013" to
> "/var/log/snort/eth7/snort.u2.1348805013": File exists


More information about the Snort-users mailing list