Snort mailing list archives
Re: Starting and Stopping Snort feeding Mysql
From: "Kenneth G. Arnold" <bkarnold () cbu edu>
Date: Thu, 6 Feb 2003 08:59:08 -0600 (CST)
I am confused. The sid in the event table corresponds to the sensor number. You say you have two sensors but the sid value indicates that this is sensor #3. Did you have another sensor running at some point that is not running now? Please login to mysql, select the snort database and perform a "select * from sensor;" command. This will show which hosts correspond to which sid values. What sid does the sensor producing these problems have? Is this host listed twice in the sensor table with two different sids? Why do you have three sid values and only two sensors? Ken On Wed, 5 Feb 2003, James M. Driskell wrote:
Hello,
I'm running 2 snort sensors feeding a mysql database on another box. I
get the following errors periodically from either box:
Feb 5 14:31:40 snort1 snort: database: mysql_error: Duplicate entry
'3-4958' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
VALUES ('3', '4958', '5', '2003-02-05 14:31:40-08')
Feb 5 14:31:50 snort1 snort: database: mysql_error: Duplicate entry
'3-4959' for key 1 SQL=INSERT INTO event (sid,cid,signature,timestamp)
VALUES ('3', '4959', '5', '2003-02-05 14:31:50-08')
I can clear the problem by stopping and restarting the offending snort
box, but I'd rather fix the problem. I also note that I get an unknown
sensor when I restart snort.
I've had to stop and start snort daily because the local alert and
scan.logs tend to run me out of disk space on the snort boxes. I guess
I need to invest in new hd's but until then, can anyone help me fix this
problem.
Thanks,
Jim Driskell
University of Puget Sound
------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Starting and Stopping Snort feeding Mysql James M. Driskell (Feb 05)
- Re: Starting and Stopping Snort feeding Mysql Kenneth G. Arnold (Feb 06)
- RE: Starting and Stopping Snort feeding Mysql James M. Driskell (Feb 07)
- Re: Starting and Stopping Snort feeding Mysql Kenneth G. Arnold (Feb 06)