Re: error inserting values into mysql DB

["A. J. Wright" <ajw () utk edu>]

I'm not sure which platform you're running on, but check to make sure  
an additional instance of snort isn't running.

Something like "ps -eaf | fgrep snort" or "ps -auxc | fgrep snort" or  
even possibly "ps -u snort".  Kill everything that shows up, then  
restart your snort job.

Just in case something is going completely wonky ... rebooting never  
fixes anything, but have you tried it?

If its not a duplicate snort process issue, I'm stumped and  
graciously resubmit this to Those On The List With More Experience.

Cheers,
--aj

A. J. Wright -- <ajw () utk edu>
Senior Security Analyst, Information Security Office
University of Tennessee, Knoxville



On Apr 10, 2006, at 9:47 AM, devork wrote:

> Yes you are right, I have only one instance running but still the same
> error with mysql or postgresql
> stopped the /var/run/snort_eth0.pid process and ran through command  
> line switch
> snort -i eth0 -c /etc/snort/snort.conf
>
> but still the same error.
>
> "
> database: postgresql_error: ERROR:  duplicate key violates unique
> constraint "data_pkey"
>
> database: postgresql_error: ERROR:  duplicate key violates unique
> constraint "data_pkey"
> "
> ( This one is postgresql error message, previous one posted was of  
> mysql )
>
> -dvk
>
> On 4/10/06, A. J. Wright <ajw () utk edu> wrote:
> > I've had this problem when multiple instances of snort were running
> > on the box at the same time.  Occasionally snort shrugs off SIGTERM
> > and you have to be a little more violent.
> >
> > Both instances would see the same event on the same ethernet device
> > at the same time, and try to insert the (same) event into the
> > database.  MySQL would promptly balk at inserting duplicate events,
> > causing that error message.
> >
> > I suppose it might also be possible if you have duplicate, but
> > generally equivalent, MySQL alert/log outputs defined.
> >
> > Luck,
> > --aj
> >
> > A. J. Wright -- <ajw () utk edu>
> > Senior Security Analyst, Information Security Office
> > University of Tennessee, Knoxville
> >
> > On Apr 10, 2006, at 9:17 AM, devork wrote:
> >
> > > I have mysql database set as output plugin in snort.conf
> > > configuration file.
> > > but when any alert is generated it gives following error.
> > >
> > > ---------------------  ------------
> > > SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2',
> > > '135', '548', ' 2006-04-10 12:37:51.284+005')
> > > database: mysql_error: Duplicate entry '2' for key 1
> > > SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2',
> > > '136', '548', ' 2006-04-10 12:37:51.284+005')
> > > database: mysql_error: Duplicate entry '2' for key 1
> > > SQL=INSERT INTO event (sid,cid,signature,timestamp) VALUES ('2',
> > > '137', '548', ' 2006-04-10 12:37:51.284+005')
> > > database: mysql_error: Duplicate entry '2' for key 1
> > > ---------------------  ------------
> > > #mysql -V
> > > mysql  Ver 14.7 Distrib 4.1.14, for pc-linux-gnu (i686) using
> > > readline 4.3
> > >
> > > regards,
> > > dvk
> > >
> >
> >
> >
> >

Attachment: smime.p7s
Description: