RE: MySQL & ACID Issues

["Rossi, Rob" <RRossi () erac com>]

After archiving, go to the ACID configured to display the archive and from
the main page click the link for Application cache and status, the click the
Update Alert Cache. See if they show up then.

Robert J Rossi, BSCS CCNA
System Administrator
Enterprise Rent-A-Car
rrossi () erac com




-----Original Message-----
From: - - [mailto:zerobreak () dfxdesigns com]
Sent: Tuesday, March 11, 2003 10:14 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] MySQL & ACID Issues


My current setup consists of snort logging to mysql, then using acid to view
the logs. Within the web server I have two copies of acid, one configured
for the live snort database, the other is for the archive. Making it easier
to move back and forth between both databases.

The problem that just showed up about a week ago is that if I go to move
events from the live database to the archive through acid. Acid says they
have successfully been moved, but when viewing the archived database, they
are not added. The database stays the same size with the same amount of
alerts before I tried moving any from the live database. They do in fact
disappear from the live database too. So if I go to move any alerts, they
disappear from the live, and never show up in the archive... losing the
events. Also if I check the individual mysql files on the file system, it
show's they have been modified.

Checking the logs of snort, apache, & mysql show's nothing out of the
ordinary. The live database continues to work fine with new events written
to it constantly. In the archive database, I can also delete events. But not
copy or move. I tried deleting the snort_archive database and starting over
from 0 events before trying to restore the backup, this also did not work. I
have a feeling that it's something to do with acid, but I'm not sure. I
tried a freshly untared copy of acid and adodb, but this also did not work.
My versions are listed below, and any help is greatly appreciated. For now
all I can do is leave all the alerts in the live database. But it's getting
quite cumbersome.


Slackware 8.1
Snort 1.9.0
MySQL 3.23.55
Adodb 3.10
Acid 0.9.6b23

Thanks again,
ZB



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users