Snort mailing list archives

snort events not written by barnyard2 to snorby database

From: Herbert Groot Jebbink <herbert () groot jebbink nl>
Date: Sat, 23 Jun 2012 12:16:47 +0200
Hi,

I have setup snort, barnyard & snorby on a ubuntu 12.4 box, all seems
ok, however the events generated by snort are not written to the mysql
database.

---- below the setup in snort.conf

output alert_unified2: filename alert, limit 128

----- below the barnyard2 config

config reference_file:      /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file:            /etc/snort/gen-msg.map
config sid_file:            /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, user=snorby password=snorby dbname=snorby
host=localhost

---- below the barnyard startup command in /etc/init.d/barnyard2

barnyard2 -d /var/log/snort -f alert > /var/log/barnyard2/start.log 2>&1

---- below the stdout from above barnyard job
---------------------------------------------------

Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"
Log directory = /var/log/barnyard2/
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snorby
database:  database name = snorby
database:    sensor name = gozo:NULL
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

Using waldo file '/var/log/barnyard2/barnyard2.waldo':
    spool directory = /var/log/snort
    spool filebase  = alert
    time_stamp      = 1340435023
    record_idx      = 83
Opened spool file '/var/log/snort/alert.1340435023'
Waiting for new data
===============================================================================
Record Totals:
   Records:          320
    Events:          320 (100.000%)
   Packets:            0 (0.000%)
===============================================================================
Packet breakdown by protocol (includes rebuilt packets):
      ETH: 0          (0.000%)
  ETHdisc: 0          (0.000%)
     VLAN: 0          (0.000%)
     IPV6: 0          (0.000%)
  IP6 EXT: 0          (0.000%)
  IP6opts: 0          (0.000%)
  IP6disc: 0          (0.000%)
      IP4: 0          (0.000%)
  IP4disc: 0          (0.000%)
    TCP 6: 0          (0.000%)
    UDP 6: 0          (0.000%)
    ICMP6: 0          (0.000%)
  ICMP-IP: 0          (0.000%)
      TCP: 0          (0.000%)
      UDP: 0          (0.000%)
     ICMP: 0          (0.000%)
  TCPdisc: 0          (0.000%)
  UDPdisc: 0          (0.000%)
  ICMPdis: 0          (0.000%)
     FRAG: 0          (0.000%)
   FRAG 6: 0          (0.000%)
      ARP: 0          (0.000%)
    EAPOL: 0          (0.000%)
  ETHLOOP: 0          (0.000%)
      IPX: 0          (0.000%)
    OTHER: 0          (0.000%)
  DISCARD: 0          (0.000%)
InvChkSum: 0          (0.000%)
   S5 G 1: 0          (0.000%)
   S5 G 2: 0          (0.000%)
    Total: 0
===============================================================================

Kind Regards, Herbert

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:

snort events not written by barnyard2 to snorby database Herbert Groot Jebbink (Jun 23)
- Re: snort events not written by barnyard2 to snorby database beenph (Jun 23)