On 11/2/2013 1:16 PM, beenph wrote:
> Timestamp is not necessarly important (while yes it can allow you to 
> correlate) You can have more than on event with the same timestamp, 
> thus its not a definitive identifiant, especialy at the schema level. 
> And cid is incremented everytime an event is logged.
>> By elimination, I think the possibilities are that either: 1) MySQL is
>> intermittently not sending back a status; 2) barnyard2 is intermittently not
>> processing the MySQL status that it receives; or 3) sometimes the status
>> message gets lost between the MySQL box and the Snort box.  Number 3 might
>> be supported by the fact that the NIC on my MySQL box shows in the
>> neighborhood of 500 RX-ERR packets for every 3 million RX-OK packets daily.
>> My Snort box shows consistently 0 RX-ERR and 0 TX-ERR.  But it would seem to
>> me that RX-ERRs on the MySQL box would more likely result in botched
>> inserts, not in status messages failing to transmit, right?  Unless the
>> packets that are failing are ones that would indicate where MySQL should
>> send a status message...  I wonder if this would cause MySQL to throw errors
>> that appear in a log...  Nope, the MySQL error logs are empty.  Again, the
>> RX-ERRs could be related to something peculiar within the overall
>> environment.  I'll look into that when I have time.
> I do not even understand that you mean by "status" at the mysql level.

MySQL returns info on the success or failure of a query, right? That's 
what I mean by "status".

> What i think is that you could have had a network outtage link betwen
> the by2 vm and the mysql vm
> and that as soon as the connection was brought back up, operation
> resumed to normal but you got
> the error message logged.

I see, so you think the inserts initially fail, but barnyard2 tries 
again, and then they succeed.

> Anyhow if i look at the original err message you posted there was
> probably more data thant just this
> <SNIP>
> Nov 1 10:25:14 snort2 barnyard2[XXXXX]: [Database()]: Insertion of Query
> [INSERT INTO event (sid,cid,signature,timestamp) VALUES (X, XXXXXX,
> XXXXXX, '2013-11-01 10:25:09');] failed
> </SNIP>
> You probably got the full stack of the event logged to syslog like it
> should be outputting.

Yes, I posted only the first query failure.

