[Snort-users] Barnyard2 reports database insert errors
snort-users at ...15598...
Sat Nov 2 18:06:51 EDT 2013
On 11/2/2013 1:16 PM, beenph wrote:
> Timestamp is not necessarly important (while yes it can allow you to
> correlate) You can have more than on event with the same timestamp,
> thus its not a definitive identifiant, especialy at the schema level.
> And cid is incremented everytime an event is logged.
>> By elimination, I think the possibilities are that either: 1) MySQL is
>> intermittently not sending back a status; 2) barnyard2 is intermittently not
>> processing the MySQL status that it receives; or 3) sometimes the status
>> message gets lost between the MySQL box and the Snort box. Number 3 might
>> be supported by the fact that the NIC on my MySQL box shows in the
>> neighborhood of 500 RX-ERR packets for every 3 million RX-OK packets daily.
>> My Snort box shows consistently 0 RX-ERR and 0 TX-ERR. But it would seem to
>> me that RX-ERRs on the MySQL box would more likely result in botched
>> inserts, not in status messages failing to transmit, right? Unless the
>> packets that are failing are ones that would indicate where MySQL should
>> send a status message... I wonder if this would cause MySQL to throw errors
>> that appear in a log... Nope, the MySQL error logs are empty. Again, the
>> RX-ERRs could be related to something peculiar within the overall
>> environment. I'll look into that when I have time.
> I do not even understand that you mean by "status" at the mysql level.
MySQL returns info on the success or failure of a query, right? That's
what I mean by "status".
> What i think is that you could have had a network outtage link betwen
> the by2 vm and the mysql vm
> and that as soon as the connection was brought back up, operation
> resumed to normal but you got
> the error message logged.
I see, so you think the inserts initially fail, but barnyard2 tries
again, and then they succeed.
> Anyhow if i look at the original err message you posted there was
> probably more data thant just this
> Nov 1 10:25:14 snort2 barnyard2[XXXXX]: [Database()]: Insertion of Query
> [INSERT INTO event (sid,cid,signature,timestamp) VALUES (X, XXXXXX,
> XXXXXX, '2013-11-01 10:25:09');] failed
> You probably got the full stack of the event logged to syslog like it
> should be outputting.
Yes, I posted only the first query failure.
More information about the Snort-users