Re: [Snort-users] barnyard logging problems

Just to clarify, you can't have more than one instance of barnyard using the same sid (sensor id), reporting to the DB. You can, however, have many different barnyard procs using a different sids reporting to the same DB. And I also just noticed that in the config files below, you ARE using different sids. (Note to self, don't reply to emails until AFTER the first cup of coffee. Are you sure that none of your other sensors aren't using the sid '3'?

Bammkkkk

On Fri, Sep 26, 2003 at 08:16:40AM -0500, Bamm Visscher wrote:
> Posting this to one of the barnyard specific lists [0] might have gotten you faster results.
>
> To answer your question, you cannot have two barnyard procs reporting to the same database (and tables) at the same time. On init, the ACID plugin in barnyard SELECTs the next 'cid' or 'count ID'. This number is an incremented int providing a unique ID (sid, cid is the primary key for most of the tables in an ACID DB) for each alert INSERTed into the DB. The number is 'tracked' in that barnyard process only (++op_data->event_id;) so if one barnyard process uses the 'next' event id (cid), there is no way for the other barnyard proc to know that and it will get an error when it tries to insert a duplicate key into the DB.
>
> Bammkkkk
>
> [0] http://sourceforge.net/mail/?group_id=34732
>
> On Fri, Sep 26, 2003 at 07:47:01AM -0400, Jason wrote:
> > I hate having to repost, but no one ever answered, and the problem is
> > getting worse as the DB gets larger. I currently have 7 sensors pointed
> > to the backend DB. Below is the conf file from one of them.
> >
> > Could someone post their barnyard config files (someone logging both
> > alerts and logs), I seem to be having an issue. When running two
> > instances of barnyard, 1 always seems to crap out on me when it hits a
> > duplicate key (which is what it should do, however I cannot seem to
> > prevent the duplicate keys.....
> > Below is the error and the conf files. Most options (daemon mode etc) are
> > started from the command line, each instance uses its own pid and waldo
> > file.
> >
> > Sep 16 14:20:08 snortdmz barnyard: FATAL ERROR: Error (Duplicate entry
> > '3-5882'
> > for key 1) executing query: INSERT INTO event(sid, cid, signature,
> > timestamp) VA
> > LUES('3', '5882', '40', '2003-09-16 14:05:21 -0400')
> >
> > Barnyard conf no 1:
> > -------------------
> > snortdmz# more barnyard.conf.alert
> > #config daemon
> > config localtime
> > config hostname: snort.dmz
> > config interface: fxp0
> > config filter: not port 22
> > processor dp_alert
> > processor dp_log
> > processor dp_stream_stat
> > output alert_fast
> > output log_dump
> > #output alert_syslog
> > #output log_pcap
> > output alert_acid_db: mysql, sensor_id 4, database snort_log, server
> > 127.0.0.1, user snort, password *****
> > #output log_acid_db: mysql, database snort_log, server 127.0.0.1, user
> > snort,password *****, detail full
> >
> > Barnyard conf no 2:
> > -------------------snortdmz# more barnyard.conf.log
> > #config daemon
> > config localtime
> > config hostname: snort.dmz
> > config interface: fxp0
> > config filter: not port 22
> > processor dp_alert
> > processor dp_log
> > processor dp_stream_stat
> > #output alert_fast
> > #output log_dump
> > #output alert_syslog
> > #output log_pcap
> > #output alert_acid_db: mysql, sensor_id 3, database snort_log, server
> > 127.0.0.1, user snort, password *****
> > output log_acid_db: mysql, database snort_log, server 127.0.0.1, user
> > snort,password *****, detail full
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.p...st=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users