Re: Barnyard2 error: 'mysql' support is not compiled into this build of snort

[Y M <snort () outlook com>]

What is the output plugin configured in your snort.conf file? If you want to use Barnyard2, you should configure the 
unified2 output plugin in your snor.conf.

Example:
output unified2: filename some.logs, limit 128

That said, Snort will generate the unified2 logs and barnyard2 will process these. Also, you need to configure the 
database output in barnyard2.conf file.
________________________________
From: James Lieu<mailto:j0liu001 () yahoo com>
Sent: ‎8/‎26/‎2013 7:10 PM
To: jesler () sourcefire com<mailto:jesler () sourcefire com>
Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>
Subject: [Snort-users] Barnyard2 error: 'mysql' support is not compiled into this build of snort

Joel:


Desperately need your help, has been struggling for two-weeks !!

I have been trying to get Barnyard2 to read Snort's output, so the mysql data can been used by Snorby/BASE etc.
But Barnyard2 is not cooperating..

The new version Snort removed ./configure --enable-mysql option 
(http://blog.snort.org/2012/07/database-output-is-dead-rip.html)
what should I do ?  what/where am  I doing wrong?


My environment:
Snort Version 2.9.5.3 GRE (Build 132)
Barnyard2 Version 2.1.13 (Build 327)
OS: CentOS 6.4, 64-bits


Snort compiled as:
./configure --enable-sourcefire --enable-gre
(I am receiving ERSPAN data directly from CISCO 62xx)

Barnyard2 compiled as:
./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql-includes=/usr/include/


Snort is running and dumping data as snort.log.XXXXX.



But could not get Barnyard2 running:

barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo

get:

--------------------------------------------------------------------------------
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+


Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2
ERROR database: 'mysql' support is not compiled into this build of snort

ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm,
or Windows), then check for alternate builds that contains the necessary
'mysql' support.

If this build of barnyard2 was compiled by you, then re-run the
the ./configure script using the '--with-mysql' switch.
For non-standard installations of a database, the '--with-mysql=DIR'
syntax may need to be used to specify the base directory of the DB install.

See the database documentation for cursory details (doc/README.database).
and the URL to the most recent database plugin documentation.
Fatal Error, Quitting..
Barnyard2 exiting
-----------------------------------------------------------------------------------


config from  /etc/snort/snort.conf :
----------------------------------------------------------------------------------
# unified2
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
----------------------------------------------------------------------------------




config from /etc/snort/barnyard2.conf:
----------------------------------------------------------------------------------

# database: log to a variety of databases
# ---------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
output database: log, mysql, user=snort password=snort dbname=snort  host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#
---------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!