Re: [barnyard2-users] Fatal error after upgrading barnyard2

[beenph <beenph () gmail com>]

On Sat, Sep 29, 2012 at 11:03 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:
> Hi Eric,
>
> On Sat, Sep 29, 2012 at 4:28 PM, beenph <beenph () gmail com> wrote:
> > On Sat, Sep 29, 2012 at 2:43 AM, Miguel Alvarez <miguellvrz9 () gmail com> wrote:
> > > Good morning,
> > >
> > > I upgraded barnyard2 earlier this week to the 1.10 final from beta2
> > > (thank you, elz!) and realized that some of my by2 processes had died.
> > >  Looking in the logs, I see these from the MySQL output plugin for my
> > > Snorby instance:

Re-Hoi Miguel,

Was this message taken from the system syslog?
And did you have previous message that would complement the following?

We added some verbosity and i find it curious that there is no
companion message. (failed execution path)


> > > Sep 29 03:27:49 nids12 barnyard2[18511]: FATAL ERROR: database
> > > mysql_error: Duplicate entry '16-78634' for key 'PRIMARY'
>
> Yes, that's the complete message, there is no table name given in the log.


When you updated did you clean your reference and sig_reference table?

How many sensor do you have?
Are you sure that if you have N sensor that they all have their unique
config and that they would not overlap using
the same sensor id?

> > > I tried removing all existing logs files in case waldo was getting
> > > lost and trying to re-insert already sent records but that didn't seem
> > > to be it.  What can I do to resolve this problem?
> >
> > How you by2 config file look like?
>
> config utc
> config reference_file:      /etc/snort/reference.config
> config classification_file: /etc/snort/classification.config
> config gen_file:            /etc/snort/gen-msg.map
> config sid_file:            /etc/snort/sid-msg.map
> config daemon
> config set_gid: 500
> config set_uid: 500
> config umask: 066
> config verbose
> config reference_net: 10.0.0.0/8
> input unified2
> output alert_fast: alert
> output database: log, mysql, user=x password=x dbname=x host=x.x.x.x
> sensor_name=x

On a side note,

If you have output database and you run in daemonized mode, you might
want to remove output alert_fast since it would be
working for nothing, not that this has something to do with with the issue.

-elz

------------------------------------------------------------------------------
How fast is your code?
3 out of 4 devs don\\\'t know how their code performs in production.
Find out how slow your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219672;13503038;z?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!