Arch linux Barnyard2 and mysql issue..

[rek2 <rek2gnulinux () gmail com>]

Hello, sorry to post here but I searched for a barnyard2 mailing list and
other than their main site I found nothing..
Im used to installing snort+mysql+snorby but recently  snort drop support
for mysql so forces me to use barnyard2 so I can use snorby.. with this I
come the issue I have now,, after many small isssues that I was able to
figure out myself from the documentation and searching I got to a wall that
nor documentation or searches are helping much :-(

the main issue I have and I will elabore below is that barnyard says I have
0 entries on snort.log but.. is not true..
 Read 0 records
I have some idea of snort and mysql so I am able to create a custom rule
for testing on local.rules but..
I can see my snort.log growing in bytes but barnyard2 keeps reading
anything.. so here is my config:

in barnyard2 config:
output database: log, mysql, user=snorby password=XXXXXXXX dbname=snorby
host=localhost

on snort:
output unified2: filename merged.log, limit 128

Barnyard2 output:



[root@0jos ~]# ./run_barnyard2_chiki.sh
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/snort/barnyard2.conf"
WARNING: invalid Reference spec 'url,'. Ignored
Log directory = /var/log/barnyard2
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snorby
database:  database name = snorby
database:    sensor name = localhost:eth0
database:      sensor id = 1
database:     sensor cid = 1
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 <*-
 / ,,_  \  Version 2.1.9 (Build 263)
 |o"  )~|  By the SecurixLive.com Team: http://www.securixlive.com/about.php
 + '''' +  (C) Copyright 2008-2010 SecurixLive.

           Snort by Martin Roesch & The Snort Team:
http://www.snort.org/team.html
           (C) Copyright 1998-2007 Sourcefire Inc., et al.

WARNING: Ignoring corrupt/truncated waldofile
'/var/log/barnyard2/barnyard2.waldo'
Opened spool file '/var/log/snort/snort.log.1334374730'
Closing spool file '/var/log/snort/snort.log.1334374730'. Read 0 records
Opened spool file '/var/log/snort/snort.log.1334374839'
Waiting for new data


also documentation and howtos are soo mixed up.. some say to put merged.log
and other snort.log I guess it does not matter but when in snort.conf I put
to output to merged.log (output unified2: filename merged.log, limit 128)
it NEVER creates a merged.log but instead still a snort.log.243242 for
example and every time I restart it created a new one but thats fine I
understand that.. the part I dont get is if I tell snort to log to
merged.log it does not..
in any case my first issue is to get this running and I need barnyard2 to
read snort output.. the rest can come later.

Thanks!!

------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!