[Snort-users] [barnyard2-users] Fatal error after upgrading barnyard2

Miguel Alvarez miguellvrz9 at ...11827...
Sat Sep 29 13:58:22 EDT 2012


On Sat, Sep 29, 2012 at 5:45 PM, beenph <beenph at ...11827...> wrote:
>>>
>>> Re-Hoi Miguel,
>>>
>>> Was this message taken from the system syslog?
>>> And did you have previous message that would complement the following?
>>>
>>> We added some verbosity and i find it curious that there is no
>>> companion message. (failed execution path)
>>
>> You're right, I apologise, that was not the complete message.  It is:
>>
>> Sep 29 04:13:03 nids12 barnyard2[28532]: FATAL ERROR: database
>> mysql_error: Duplicate entry '6-217828' for key 'PRIMARY'
>>         SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES
>> (6, 217828, 36, '2012-09-29 04:13:02');]
>
> Well the only way i can see that a by2 process would be re-using the same
> event_id, is that there would be some colision on sensor_id.

The only thing I can think of is that there are a couple of sensor_ids
that are missing since I removed the sensors.  Here's my snorby DB
table (name and hostname omitted):

mysql> select * from sensor;
+-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+
| sid | name           | hostname       | interface | filter | detail
| encoding | last_cid | events_count |
+-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+
|   1 |                |                | NULL      | NULL   |      1
|        0 |   302720 |       302733 |
|   2 |                |                | NULL      | NULL   |      1
|        0 |    28771 |        28775 |
|   3 |                |                | NULL      | NULL   |      1
|        0 |     5255 |         5261 |
|   4 |                |                | NULL      | NULL   |      1
|        0 |   341199 |       341929 |
|   5 |                |                | NULL      | NULL   |      1
|        0 |     2385 |         2403 |
|   6 |                |                | NULL      | NULL   |      1
|        0 |   217824 |       218558 |
|   7 |                |                | NULL      | NULL   |      1
|        0 |    78988 |        80071 |
|   8 |                |                | NULL      | NULL   |      1
|        0 |   487995 |       488163 |
|   9 |                |                | NULL      | NULL   |      1
|        0 |   282252 |       282261 |
|  10 |                |                | NULL      | NULL   |      1
|        0 |     2130 |         2139 |
|  11 |                |                | NULL      | NULL   |      1
|        0 |   296745 |       296968 |
|  12 |                |                | NULL      | NULL   |      1
|        0 |   145995 |       146027 |
|  13 |                |                | NULL      | NULL   |      1
|        0 |    13053 |        13100 |
|  14 |                |                | NULL      | NULL   |      1
|        0 |   243549 |       243720 |
|  15 |                |                | NULL      | NULL   |      1
|        0 |     7251 |         7260 |
|  16 |                |                | NULL      | NULL   |      1
|        0 |    79086 |        79151 |
|  17 |                |                | NULL      | NULL   |      1
|        0 |   388440 |       388582 |
|  19 |                |                | NULL      | NULL   |      1
|        0 |   222566 |       222799 |
|  20 |                |                | NULL      | NULL   |      1
|        0 |      143 |          180 |
|  21 |                |                | NULL      | NULL   |      1
|        0 |      579 |          629 |
|  23 |                |                | NULL      | NULL   |      1
|        0 |      134 |          153 |
+-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+
21 rows in set (0.00 sec)

> 2-1.10 at initialization will query every table to get the latest
> event id, and increment it,
> update the sensor table and start inserting.
>
> Every db call in 2-1.10 is isolated in a transaction, thus if this
> happen it means that something  else with the same sensor_id
> inserted before failing transaction was executed.
>
> I know this might sound wierd and that you "never had issue" but i
> would start looking a making sure that all
> your by2 process have different sensor_id and that they are configured
> to collide with an other process.
>
> An other thing i would look at is if you have on some system a by2
> process running in the background that would
> conflict with your "frontman process". Mabey a process didin't
> terminate as expected or was started from an other
> mechanism and is still running.
>
> Which could explain:
>
>
>>Sep 29 04:11:17 nids12 barnyard2[28536]: Failed to archive file
>> "/var/log/snort/eth7/snort.u2.1348805013" to
>> "/var/log/snort/eth7/snort.u2.1348805013": File exists

I don't think that's the case but will look again.

Thanks again for your help!

MA




More information about the Snort-users mailing list