Snort mailing list archives

Re: [barnyard2-users] Fatal error after upgrading barnyard2

From: Miguel Alvarez <miguellvrz9 () gmail com>
Date: Sat, 29 Sep 2012 17:34:07 +0200

On Sat, Sep 29, 2012 at 5:18 PM, beenph <beenph () gmail com> wrote:

On Sat, Sep 29, 2012 at 11:03 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:

Hi Eric,

On Sat, Sep 29, 2012 at 4:28 PM, beenph <beenph () gmail com> wrote:

On Sat, Sep 29, 2012 at 2:43 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:

Good morning,

I upgraded barnyard2 earlier this week to the 1.10 final from beta2
(thank you, elz!) and realized that some of my by2 processes had died.
 Looking in the logs, I see these from the MySQL output plugin for my
Snorby instance:


Re-Hoi Miguel,

Was this message taken from the system syslog?
And did you have previous message that would complement the following?

We added some verbosity and i find it curious that there is no
companion message. (failed execution path)


You're right, I apologise, that was not the complete message.  It is:

Sep 29 04:11:17 nids12 barnyard2[28536]: Failed to archive file
"/var/log/snort/eth7/snort.u2.1348805013" to
"/var/log/snort/eth7/snort.u2.1348805013": File exists
Sep 29 04:11:17 nids12 barnyard2[28536]: Closing spool file
'/var/log/snort/eth7/snort.u2.1348805013'. Read 1223 records
Sep 29 04:11:17 nids12 barnyard2[28536]: Opened spool file
'/var/log/snort/eth7/snort.u2.1348868147'
Sep 29 04:11:33 nids12 barnyard2[28536]: Failed to archive file
"/var/log/snort/eth7/snort.u2.1348868147" to
"/var/log/snort/eth7/snort.u2.1348868147": File exists
Sep 29 04:11:33 nids12 barnyard2[28536]: Closing spool file
'/var/log/snort/eth7/snort.u2.1348868147'. Read 68 records
Sep 29 04:11:33 nids12 barnyard2[28536]: Opened spool file
'/var/log/snort/eth7/snort.u2.1348891432'
Sep 29 04:11:33 nids12 barnyard2[28536]: Waiting for new data
Sep 29 04:12:17 nids12 snort[28506]: S5: Pruned session from cache
that was using 1125030 bytes (closed normally). x.x.x.x 59047 -->
x.x.x.x 80 (0) : LWstate 0x9 LWFlags 0x60e007
Sep 29 04:13:03 nids12 barnyard2[28532]: FATAL ERROR: database
mysql_error: Duplicate entry '6-217828' for key 'PRIMARY'
        SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES
(6, 217828, 36, '2012-09-29 04:13:02');]

Sep 29 03:27:49 nids12 barnyard2[18511]: FATAL ERROR: database
mysql_error: Duplicate entry '16-78634' for key 'PRIMARY'


Yes, that's the complete message, there is no table name given in the log.



When you updated did you clean your reference and sig_reference table?


No, I didn't clean anything out -- I suppose I should have since you're asking?

How many sensor do you have?

Are you sure that if you have N sensor that they all have their unique
config and that they would not overlap using
the same sensor id?


I haven't had any problems up until now and things have been going
fine for almost a year.

I tried removing all existing logs files in case waldo was getting
lost and trying to re-insert already sent records but that didn't seem
to be it.  What can I do to resolve this problem?


How you by2 config file look like?


config utc
config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/sid-msg.map
config daemon
config set_gid: 500
config set_uid: 500
config umask: 066
config verbose
config reference_net: 10.0.0.0/8
input unified2
output alert_fast: alert
output database: log, mysql, user=x password=x dbname=x host=x.x.x.x
sensor_name=x


On a side note,

If you have output database and you run in daemonized mode, you might
want to remove output alert_fast since it would be
working for nothing, not that this has something to do with with the issue.


Thank you, Eric.  I actually do something else with that log.

------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 28)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Heine Lysemose (Sep 28)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
  - Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)
    - Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
    - Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)
    - Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
    - Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)