RE: please help - ACID: "Ignored XXX duplicate even ts" on archive

["Cloppert, Michael" <Michael.Cloppert () 53 com>]

Has anyone come up with any sort of a way to resolve this issue?  Our
acid-archive database is still completely useless, and I really need a way
to fix this.  ANY help would be appreciated.  And to address a previous
question, yes, my acid_conf.php is configured correctly:
 
$alert_dbname   = "snort";
$alert_host     = "localhost";
$alert_port     = "";
$alert_user     = "snort";
$alert_password = "xxxx";
 
/* Archive DB connection parameters */
$archive_dbname   = "snort_archive";
$archive_host     = "localhost";
$archive_port     = "";
$archive_user     = "snort";
$archive_password = "xxxx";
 
Thanks in advance,
 
Mike

-----Original Message-----
From: Luca Tampieri [mailto:Luca.Tampieri () fi infn it]
Sent: Tuesday, August 20, 2002 12:48 PM
To: Cloppert, Michael; snort-users () lists sourceforge net
Subject: Re: [Snort-users] please help - ACID: "Ignored XXX duplicate
events" on archive


We had the same problem yesterday, 
I have seen that our database-archive was full, or i think so (i don't know
mysql well), 

mysql> show table status; 


shows that 'Max_data_length' and 'Index_length' was about the same for table
'data' 
so i have done a new archive, i have set it in acid_conf ($archive_dbname)
and now i trying to move alerts in this db. 


I will have the results of this test only later because my ACID is very
slow, but until now is all right. 


Note:we use snort1.8.6 and FreeBSD4.6. 


Hope help. 
Luca 
  


"Cloppert, Michael" wrote: 


I'm having a problem with ACID's "Archive Alerts (move)" and "Archive Alerts

(copy)".  All events I try to archive give the error "Ignored XXX duplicate 
events".  These are not duplicate events - I even verify this by running my 
version of ACID that queries the snort-archive database and I can't find the

alerts.  As a matter of fact, this action hasn't been successful for more 
than 2 weeks now.  I have no idea what I may have changed to cause this 
problem. 

I'm running Snort 1.8.7 on RHL7.3, latest version of ACID, mysql, etc... 


This is a HUGE problem for us, as we rely heavily on ACID's archiving 
ability for maintenance.  Any help would be appreciated. 


Mike 


------------------------------------------------------- 
This sf.net email is sponsored by: OSDN - Tired of that same old 
cell phone?  Get a new here for FREE! 
https://www.inphonic.com/r.asp?r=sourceforge1
<https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390>
&refcode1=vs3390 
_______________________________________________ 
Snort-users mailing list 
Snort-users () lists sourceforge net 
Go to this URL to change user options or unsubscribe: 
https://lists.sourceforge.net/lists/listinfo/snort-users
<https://lists.sourceforge.net/lists/listinfo/snort-users>  
Snort-users list archive: 
http://www.geocrawler.com/redir-sf.php3?list=snort-users
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>