Re: barnyard logging problems

[Bamm Visscher <bamm () satx rr com>]

Posting this to one of the barnyard specific lists [0] might have gotten you faster results.

To answer your question, you cannot have two barnyard procs reporting to the same database (and tables) at the same 
time. On init, the ACID plugin in barnyard SELECTs the next 'cid' or 'count ID'. This number is an incremented int 
providing a unique ID (sid, cid is the primary key for most of the tables in an ACID DB) for each alert INSERTed into 
the DB. The number is 'tracked' in that barnyard process only (++op_data->event_id;) so if one barnyard process uses 
the 'next' event id (cid), there is no way for the other barnyard proc to know that and it will get an error when it 
tries to insert a duplicate key into the DB.

Bammkkkk

[0] http://sourceforge.net/mail/?group_id=34732

On Fri, Sep 26, 2003 at 07:47:01AM -0400, Jason wrote:
> I hate having to repost, but no one ever answered, and the problem is
> getting worse as the DB gets larger.  I currently have 7 sensors pointed
> to the backend DB. Below is the conf file from one of them.
>
> Could someone post their barnyard config files (someone logging both
> alerts and logs), I seem to be having an issue.  When running two
> instances of barnyard, 1 always seems to crap out on me when it hits a
> duplicate key (which is what it should do, however I cannot seem to
> prevent the duplicate keys.....
> Below is the error and the conf files.  Most options (daemon mode etc) are
> started from the command line, each instance uses its own pid and waldo
> file.
>
> Sep 16 14:20:08 snortdmz barnyard: FATAL ERROR: Error (Duplicate entry
> '3-5882'
> for key 1) executing query: INSERT INTO event(sid, cid, signature,
> timestamp) VA
> LUES('3', '5882', '40', '2003-09-16 14:05:21 -0400')
>
> Barnyard conf no 1:
> -------------------
> snortdmz# more barnyard.conf.alert
> #config daemon
> config localtime
> config hostname: snort.dmz
> config interface: fxp0
> config filter: not port 22
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> output alert_fast
> output log_dump
> #output alert_syslog
> #output log_pcap
> output alert_acid_db: mysql, sensor_id 4, database snort_log, server
> 127.0.0.1, user snort, password *****
> #output log_acid_db: mysql, database snort_log, server 127.0.0.1, user
> snort,password *****,  detail full
>
> Barnyard conf no 2:
> -------------------snortdmz# more barnyard.conf.log
> #config daemon
> config localtime
> config hostname: snort.dmz
> config interface: fxp0
> config filter: not port 22
> processor dp_alert
> processor dp_log
> processor dp_stream_stat
> #output alert_fast
> #output log_dump
> #output alert_syslog
> #output log_pcap
> #output alert_acid_db: mysql, sensor_id 3, database snort_log, server
> 127.0.0.1, user snort, password *****
> output log_acid_db: mysql, database snort_log, server 127.0.0.1, user
> snort,password *****,  detail full
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users