Snort mailing list archives
RE: Snort 2.0.0 logging to MySQL, but nothing in ACID???
From: "Williams Jon" <WilliamsJonathan () JohnDeere com>
Date: Wed, 20 Oct 2004 09:35:48 -0500
Running both consoles in SQL trace mode lead me to look at the sensor table. On the console that isn't working, there are no entries in the sensor table, but there are entries in it on the working console. I had an "A Ha!" moment. The sensor table on the broken box was missing the last_cid column. Don't know how that happened, as I know that I didn't do anything related to that in the timeframe of the problem. Putting the field back has corrected the issue. Thanks. Jon -----Original Message----- From: Kevin Johnson [mailto:kjohnson () secureideas net] Sent: Tuesday, October 19, 2004 6:09 PM To: Williams Jon Cc: Snort Users Subject: Re: [Snort-users] Snort 2.0.0 logging to MySQL, but nothing in ACID??? On Tue, 2004-10-19 at 16:29, Williams Jon wrote:
I'm having a pretty bad brain fart. Some time this morning, one of our ACID consoles stopped working. We've confirmed that all of our sensors are seeing data and generating alerts, that the MySQL port is open between all of the sensors and the DB server, that MySQL is running and accepting connections on the port the sensors are connecting to, and that the sensors are writing data to the database. When I go into ACID, it shows no alerts and no sensors, but if I click
on the "Application cache and status" link, the Alert Information Cache section shows the correct number of alerts under "Total Events". Clicking on "Repair Tables" and "Update Alert Cache" have no effect on
the problem, nor did restarting the web server, MySQL server, and rebooting the box. Fortunately, we've got a second DB server. When we repointed the sensors to the second server, everything works fine there. While I was logged into the box around the time that the problem occurred, and there were no other users logged in at all since before the problem, I have no clear recollection of any actions that had anything to do with PHP, the web server, ACID, or MySQL. Any suggestions? Any idea how I shot myself in the foot? Thanks. Jon
Hi- If you access the original database server directly, are the alerts still there? Is there anything in the logs? I would set the two below variables in acid_conf.php if you can't find anything else.... $sql_trace_mode = 0; $sql_trace_file = ""; Feel free to respond with any more information and I can try to help. Kevin ------------------- BASE Project Lead http://sourceforge.net/projects/secureideas The next step in IDS analysis! ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.0.0 logging to MySQL, but nothing in ACID??? Williams Jon (Oct 19)
- Re: Snort 2.0.0 logging to MySQL, but nothing in ACID??? Kevin Johnson (Oct 19)
- <Possible follow-ups>
- RE: Snort 2.0.0 logging to MySQL, but nothing in ACID??? Williams Jon (Oct 20)