RE: Acid database lost events, help!!!

[Tinsley Paul <Paul.Tinsley () HCAhealthcare com>]

This should tell you how many events you have in your database: mysql
-usnort_user -psnort_password snort_database -e "select count(*) from event"

If the number isn't what you want to see then you are probably missing your
events :(

-----Original Message-----
From: Brei, Matt [mailto:mbrei () medclaiminc com]
Sent: Wednesday, May 21, 2003 10:35 AM
To: Tinsley Paul; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Acid database lost events, help!!!


So my alerts are gone?  If I run optimize table it looks like it will
just reclaim that space.

Matt Brei


-----Original Message-----
From: Tinsley Paul [mailto:Paul.Tinsley () HCAhealthcare com] 
Sent: Wednesday, May 21, 2003 11:25 AM
To: Brei, Matt; snort-users () lists sourceforge net
Subject: RE: [Snort-users] Acid database lost events, help!!!

Looking at the size of the database isn't a good telling sign of how
much
data you have in a MySQL database.  When records are deleted the space
is
not reclaimed unless you specifically reclaim it.  From MySQL docs:
"Deleted
records are maintained in a linked list and subsequent INSERT operations
reuse old record positions."

See http://www.mysql.com/doc/en/OPTIMIZE_TABLE.html for more information
on
the subject.

One thing that you have to be careful with in reference to ACID is the
timeout you have set for PHP.  If it's in the middle of an operation and
PHP
decides the task has been running too long, it will give your process
the
axe.  If the code isn't written with that in mind it could easily
corrupt
your data :( 

-----Original Message-----
From: Brei, Matt [mailto:mbrei () medclaiminc com]
Sent: Wednesday, May 21, 2003 9:46 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Acid database lost events, help!!!


I have been running snort for about 4 months.  The Snort db had about
12000
alerts and the archive db had about 19000.  I moved all of the alerts
from
April to the archive db, ACID said it successfully moved 8000 alerts,
which
SHOULD leave me with about 4000 in the main db and 27000 in the archive
db.
The archive db only has about 20000 and the main db is now empty.  The
strange thing is, in the mysql db directory, none of the main Snort db
file
sizes got any smaller and the archive files grew in size.  What happened
to
the alerts?

Snort 1.9.1 on Redhat 7.2 alerts to
ACID v0.9.6b23, MySQL 3.23.56, Apache 2.0.45 on RedHat 8

Matt Brei


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users