Sebek 3 not reporting data details to Walleye

[Cindy Jenkins <cj () u washington edu>]

Hello all,

I have been trying to track the issue down and cannot find any  
information on this problem online.

Environment:
Hwall server ROO hw1.0-189
Honeypots: FC3 2.6, Win2KPro, WinXP, Mac OS X
Syslog server: FC3 log server
Software: Sebek 3.03l server and clients, 2.6 kernel on FC3 client

Problem: Walleye not showing read details for sebek data

Situation:
I can see the sebek traffic arriving on the Hwall server using the  
sbk_ks_log.pl or viewer scripts. So I know the clients are sending  
traffic. I can also see that the mysql files for sys_read, sys_open,  
and process all update file sizes and date stamps when I send data  
over from a client. I presume this means the database is recording  
the data.

The variables we have in honeywall.conf for sebek are below. Are they  
correct? Do I need to define the HwSEBEK_DST_IP on the Hwall to be  
the IP number for the command interface? eth2 is our ssh/walleye  
line, eth0 and eth1 make up the br0 bridge for the honeypots. Neither  
eth0 nor eth1 have IP's assigned.

HwSEBEK_DST_IP=192.168.1.34
HwSEBEK_LOG=yes
HwSEBEK_FATE=ACCEPT
HwSEBEK_log=yes
HwSEBEK_DST_PORT=7701
HwSEBEK=yes

I can see Sebek traffic in Walleye, including process lists but there  
are no details, like the keystrokes we type in. The viewere and  
ks_log when run manually show the keystrokes, but they are not in  
Walleye. I can see traffic flowing via tcpdump as well. I have cheked  
the log files for errors and do not find anything reporting on file  
permissions or such like that.  So, any ideas?

I have read all the KYE papers on the theory and implementation of  
sebek, but I can't find any hard core data on the installation and  
setup. And there is no troubleshooting data on this problem, at least  
that I can locate.

Thanks!
CJ