[Snort-users] Could not add event to decoderActionQ

elof at ...6680... elof at ...6680...
Thu Dec 11 06:06:20 EST 2014


Hi!

After I updated all my sensors to snort 2.9.7.0, a few of them have 
started logging:

2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:31:46 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:04 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add event 
to decoderActionQ
2014-12-11 11:32:15 +01:00 foobar snort[22529]: Could not add drop 
event to decoderActionQ


I've been running snort for years, and this is the first time I see 
these. I wonder:


Q1: What is this?



I increased the line
config event_queue: max_queue 8 log 5 order_events content_length
to
config event_queue: max_queue 16 log 12 order_events content_length

...but still get the syslog messages.

Q2: Anyone know why?


/Elof




More information about the Snort-users mailing list