[Snort-users] Barnyard2 database failures

Dave Corsello snort-users at ...15598...
Wed Jan 2 16:24:38 EST 2013


I don't restart barnyard2, and I don't restart or backup the database 
(although I probably should).  My database logs are empty.

The errors happen at random times throughout the day, and they don't 
correlate to any other scheduled activity.

Again, the only factor that has changed is that Snort has been upgraded.

Is there any significance in the fact that all failed transactions 
contain the following string:  WARNING database: [Database()] Failed 
transaction with current query transaction #012

On 12/30/2012 11:54 AM, beenph wrote:
> And do you use something to stop barnyard2 periodically and restart it?
> Like a wrapper to pulled pork?
> Would it be possible that your databaser server stop and restart?
> Do you have database logs?
> With the 2-1.1x code changes where made to the output plugin so that 
> if a event is not logged, its not logged at all with 2-1.9 and 
> historically before each of those
> insertion where done serially instead of being wrapped in a 
> transaction bloc so if it was failing halfway you could find some 
> information that was logged incompletly.
> So for this to happen offent, there is probably something arround by2 
> that would be causing/triggering the issue.
> Do you do a backup operation on your database?
> Oh and this should have nothing to do with snort just to get back to 
> the initial questionning.
> Snort log to unified2 and by2 process the unified2 file so there is no 
> link betwen the database and
> snort.
> -elz
>
>
> On Sun, Dec 30, 2012 at 11:43 AM, Dave Corsello 
> <snort-users at ...15598... 
> <mailto:snort-users at ...15598...>> wrote:
>
>     Hi elz,
>
>     Thanks for your reply.  On each sensor, barnyard2 is configured
>     with a unique hostname, so that there are two sensors in the
>     sensor table, and there's only one instance of Barnyard2 running
>     on each sensor.
>
>     --Dave
>
>
>     On 12/29/2012 8:54 PM, beenph wrote:
>
>         Hi dave,
>         In both of your barnyard2 configuration do you use
>         different information so that you have two sensor
>         in your sensor table?
>         Because if you use the same information, then it would
>         be seen as 1 sensor and you could hit a race condition
>         which could lead to this.
>         So i would make sure that you both barnyard2 instances have
>         different information,
>         and also make sure that you do not have an other barnayrd2
>         process in the backgroud .
>         Mabey launched by a startup script etc.
>         This error would only happen if the transaction fail
>         (duplicate key) or if your database die,
>         i suspect you have an other process also inserting and this is
>         why your hitting this condition.
>         -elz
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130102/5c87160d/attachment.html>


More information about the Snort-users mailing list