Barnyard2 data not moving to SQL.

[sessionking33]

I have a build of snorby on a Centos 7 server with snort, barnyard2, and MariaDB on it and all of the logs are clean. Everything looks like it is working. Here is what is in the process table.

/usr/local/bin/barnyard2 -c /etc/snort/barnyard2.conf -d /var/log/snort -f snort.u2 -q -w /var/log/snort/eth0/barnyard2.waldo -g snort -u snort -D -a /var/log/snort/eth0/archive

/usr/sbin/snort -D -i ens4 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

When I run a snort -vi ens4 -c /etc/snort/snort.conf I see the events I want to capture. There is data in the snort.log. No errors on the waldo file.

Here is what is logged in the message log.

23 autocritas barnyard2[1427]: Running in Continuous mode
Mar 16 13:29:23 autocritas barnyard2[1427]:
Mar 16 13:29:23 autocritas barnyard2[1427]: --== Initializing Barnyard2 ==--
Mar 16 13:29:23 autocritas barnyard2[1427]: Initializing Input Plugins!
Mar 16 13:29:23 autocritas barnyard2[1427]: Initializing Output Plugins!
Mar 16 13:29:23 autocritas barnyard2[1427]: Parsing config file "/etc/snort/barnyard2.conf"
Mar 16 13:29:23 autocritas barnyard2[1427]: #12#012+[ Signature Suppress list ]+#12----------------------------
Mar 16 13:29:23 autocritas barnyard2[1427]: +[No entry in Signature Suppress List]+
Mar 16 13:29:23 autocritas barnyard2[1427]: ----------------------------#12+[ Signature Suppress list ]+
Mar 16 13:29:42 autocritas barnyard2[1427]: WARNING: invalid Reference spec '2015-0666'. Ignored
Mar 16 13:29:44 autocritas barnyard2[1427]: Barnyard2 spooler: Event cache size set to [2048]
Mar 16 13:29:44 autocritas barnyard2[1427]: Log directory = /var/log/barnyard2
Mar 16 13:29:44 autocritas barnyard2[1427]: INFO database: Defaulting Reconnect/Transaction Error limit to 10
Mar 16 13:29:44 autocritas barnyard2[1427]: INFO database: Defaulting Reconnect sleep time to 5 second
Mar 16 13:29:44 autocritas barnyard2[1427]: Initializing daemon mode
Mar 16 13:29:44 autocritas barnyard2[1427]: Daemon initialized, signaled parent pid: 1
Mar 16 13:29:44 autocritas barnyard2[1427]: PID path stat checked out ok, PID path set to /var/run/
Mar 16 13:29:44 autocritas barnyard2[1427]: Writing PID "1427" to file "/var/run//barnyard2_ens4.pid"
Mar 16 13:30:18 autocritas barnyard2[1427]: Node unique name is: localhost:ens4
Mar 16 13:30:21 autocritas barnyard2[1427]: [SignatureReferencePullDataStore()]: No Reference found in database ...
Mar 16 13:30:21 autocritas barnyard2[1427]: database: compiled support for (mysql)
Mar 16 13:30:21 autocritas barnyard2[1427]: database: configured to use mysql
Mar 16 13:30:21 autocritas barnyard2[1427]: database: schema version = 107
Mar 16 13:30:21 autocritas barnyard2[1427]: database: host = localhost
Mar 16 13:30:21 autocritas barnyard2[1427]: database: user = snorty
Mar 16 13:30:21 autocritas barnyard2[1427]: database: database name = snorby
Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor name = localhost:ens4
Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor id = 3
Mar 16 13:30:21 autocritas barnyard2[1427]: database: sensor cid = 3
Mar 16 13:30:21 autocritas barnyard2[1427]: database: data encoding = hex
Mar 16 13:30:21 autocritas barnyard2[1427]: database: detail level = full
Mar 16 13:30:21 autocritas barnyard2[1427]: database: ignore_bpf = no
Mar 16 13:30:21 autocritas barnyard2[1427]: database: using the "log" facility
Mar 16 13:30:21 autocritas barnyard2[1427]:
Mar 16 13:30:21 autocritas barnyard2[1427]: --== Initialization Complete ==--
Mar 16 13:30:21 autocritas barnyard2[1427]: Barnyard2 initialization completed successfully (pid=1427)
Mar 16 13:30:21 autocritas barnyard2[1427]: Using waldo file '/var/log/snort/eth0/barnyard2.waldo':#12 spool directory = /var/log/snort#012 spool filebase = snort.log#012 time_stamp = 1478897504#012 record_idx = 0
Mar 16 13:30:21 autocritas barnyard2[1427]: Opened spool file '/var/log/snort/snort.log.1478897504'
Mar 16 13:30:21 autocritas barnyard2[1427]: Waiting for new data

I ran the mysql -h to set set the host to 127.0.0.1 and have granted all permissions on the database to the user several times. I see the sensors in the snorby database, that is making it in.

I have already plowed through the other posts on this site, but, could not find anything that fixed it. Snort and Barnyard2 are running in Daemon mode.

I just can't help but think it is something simple? Do I need to activate some filters? Is there something else I need to do with the non eth0 network adapter? It looks like Snort is listening on that and barnyard2 is set for that interface too. Is there something I need to do with my MariaDB build? I have recompiled barnyard2 once already.

[sessionking33]

Disregard. I changed the log file to snort-unified and deleted the waldo file and it is now working.

You guys must have been "damn, another database not updating issue??" you have a lot of data on this site to sift through.