Re: Mysql process stopping affects db writes after restart of mysql?

[Dirk Geschke <dirk () geschke-online de>]

Hi Dan,

> I noticed/tested that if mysql database process is stopped, snort (2.2)
> creates syslog errors that it can't write to database. Any new incidents
> seen by the probe do not get written to the database after that, but
> they do get logged in the tcpdump logfile. However, when I restart the
> mysql process, the incidents do not recover or get rewritten to the db
> (they are not spooled with error recovery) ...neither do new events
> after restarting mysql. It's as if I am going to have to restart snort
> on the probe to get logging into remote db successfully again. Anyone
> come across solutions for spooling alerts that don't make it into
> database and get snort to write to db without restarting snort? Does
> Barnyard handle this kind of recovery? 
> So basically, it looks like a stopped mysql process will cause pain and
> lost logging into db.

yes, this behaviour is correct. snort connects to the database only on
start up (or restart what is the same a ka SIGHUP). So there is no
mechanism to reconnect to the database if this is restarted.

I am not sure about barnyard, but I think it has a mechanism to
recover from such an event. Mudpit has this and FLoP can do this, too.

Best regards

Dirk


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users