Re: Barnyard2 error: 'mysql' support is not compiled into this build of snort

[James Lieu <j0liu001 () yahoo com>]

My snort install runs fine to logs and I can start Barnyard2 without
the mysql call with no apparent problems (but Barnyard is not writing anything to mysql, no log files either).

but once I add the mysql output back into my barnyard2.conf file I am unable to start it



Below is my config. Thanks


config from  /etc/snort/snort.conf :
----------------------------------------------------------------------------------
# unified2 
# Recommended for most installs
output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
----------------------------------------------------------------------------------


config from /etc/snort/barnyard2.conf:
----------------------------------------------------------------------------------

# database: log to a variety of databases
# ---------------------------------------
#
# Purpose: This output module provides logging ability to a variety of databases
# See doc/README.database for additional information.
#
# Examples:
output database: log, mysql, user=snort password=snort dbname=snort  host=localhost
#   output database: alert, postgresql, user=snort dbname=snort
#   output database: log, odbc, user=snort dbname=snort
#   output database: log, mssql, dbname=snort user=snort password=test
#   output database: log, oracle, dbname=snort user=snort password=test
#
---------------------------------------------------------------------------------------------------




> ________________________________
> From: Y M <snort () outlook com>
> To: James Lieu <j0liu001 () gmail com>; "jesler () sourcefire com" <jesler () sourcefire com> 
> Cc: "snort-users () lists sourceforge net" <snort-users () lists sourceforge net> 
> Sent: Monday, August 26, 2013 12:19 PM
> Subject: RE: [Snort-users] Barnyard2 error: 'mysql' support is not compiled into       this build of snort
>
>
>
> What is the output plugin configured in your snort.conf file? If you want to use Barnyard2, you should configure the 
> unified2 output plugin in your snor.conf.
>
> Example:
> output unified2: filename some.logs, limit 128
>
> That said, Snort will generate the unified2 logs and barnyard2 will process these. Also, you need to configure the 
> database output in barnyard2.conf file.
>
> ________________________________
> From: James Lieu
> Sent: ‎8/‎26/‎2013 7:10 PM
> To: jesler () sourcefire com
> Cc: snort-users () lists sourceforge net
> Subject: [Snort-users] Barnyard2 error: 'mysql' support is not compiled into this build of snort
>
>
> Joel:  
>
>
>
> Desperately need your help, has been struggling for two-weeks !!
>
>
> I have been trying to get Barnyard2 to read Snort's output, so the mysql data can been used by Snorby/BASE etc.
> But Barnyard2 is not cooperating..
>
> The new version Snort removed ./configure --enable-mysql option 
> (http://blog.snort.org/2012/07/database-output-is-dead-rip.html)
> what should I do ?  what/where am  I doing wrong?
>   
>
> My environment: 
> Snort Version 2.9.5.3 GRE (Build 132)
> Barnyard2 Version 2.1.13 (Build 327)
> OS: CentOS 6.4, 64-bits
>
>
> Snort compiled as:
> ./configure --enable-sourcefire --enable-gre
> (I am receiving ERSPAN data directly from CISCO 62xx)
>
> Barnyard2 compiled as:
> ./configure --with-mysql --with-mysql-libraries=/usr/lib64/mysql/ --with-mysql-includes=/usr/include/
>
>
> Snort is running and dumping data as snort.log.XXXXX.
>
>
>
> But could not get Barnyard2 running:
>
> barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/snort/barnyard2.waldo
>
> get:
>
> --------------------------------------------------------------------------------
> Running in Continuous mode
>
>         --== Initializing Barnyard2 ==--
> Initializing Input Plugins!
> Initializing Output Plugins!
> Parsing config file "/etc/snort/barnyard2.conf"
>
>
> +[ Signature Suppress list ]+
> ----------------------------
> +[No entry in Signature Suppress List]+
> ----------------------------
> +[ Signature Suppress list ]+
>
>
> Barnyard2 spooler: Event cache size set to [2048] 
> Log directory = /var/log/barnyard2
> ERROR database: 'mysql' support is not compiled into this build of snort
>
> ERROR: If this build of barnyard2 was obtained as a binary distribution (e.g., rpm,
> or Windows), then check for alternate builds that contains the necessary
> 'mysql' support.
>
> If this build of barnyard2 was compiled by you, then re-run the
> the ./configure script using the '--with-mysql' switch.
> For non-standard installations of a database, the '--with-mysql=DIR'
> syntax may need to be used to specify the base directory of the DB install.
>
> See the database documentation for cursory details (doc/README.database).
> and the URL to the most recent database plugin documentation.
> Fatal Error, Quitting..
> Barnyard2 exiting
> -----------------------------------------------------------------------------------
>
>
> config from  /etc/snort/snort.conf :
> ----------------------------------------------------------------------------------
> # unified2 
> # Recommended for most installs
> output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
> ----------------------------------------------------------------------------------
>
>
>
>
> config from /etc/snort/barnyard2.conf:
> ----------------------------------------------------------------------------------
>
> # database: log to a variety of databases
> # ---------------------------------------
> #
> # Purpose: This output module provides logging ability to a variety of databases
> # See doc/README.database for additional information.
> #
> # Examples:
> output database: log, mysql, user=snort password=snort dbname=snort  host=localhost
> #   output database: alert, postgresql, user=snort dbname=snort
> #   output database: log, odbc, user=snort dbname=snort
> #   output database: log, mssql, dbname=snort user=snort password=test
> #   output database: log, oracle, dbname=snort user=snort password=test
> #
> ---------------------------------------------------------------------------------------------------
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and 
> AppDynamics. Performance Central is your source for news, insights, 
> analysis and resources for efficient Application Performance Management. 
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and 
AppDynamics. Performance Central is your source for news, insights, 
analysis and resources for efficient Application Performance Management. 
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!