Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Events not written to mysql database #30

Closed
Herbert256 opened this Issue Jun 23, 2012 · 1 comment

Comments

Projects
None yet
3 participants

Hi,

I have setup snort, barnyard & snorby on a ubuntu 12.4 box, all seems ok, however the events generated by snort are not written to the mysql database.

---- below the setup in snort.conf

output alert_unified2: filename alert, limit 128

----- below the barnyard2 config

config reference_file: /etc/snort/reference.config
config classification_file: /etc/snort/classification.config
config gen_file: /etc/snort/gen-msg.map
config sid_file: /etc/snort/community-sid-msg.map
config logdir: /var/log/barnyard2/
config waldo_file: /var/log/barnyard2/barnyard2.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, user=snorby password=snorby dbname=snorby host=localhost

---- below the barnyard startup command in /etc/init.d/barnyard2

barnyard2 -d /var/log/snort -f alert > /var/log/barnyard2/start.log 2>&1

---- below the stdout from above barnyard job ---------------------------------------------------

Running in Continuous mode

    --== Initializing Barnyard2 ==--

Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"
Log directory = /var/log/barnyard2/
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database: host = localhost
database: user = snorby
database: database name = snorby
database: sensor name = gozo:NULL
database: sensor id = 1
database: sensor cid = 1
database: data encoding = hex
database: detail level = full
database: ignore_bpf = no
database: using the "log" facility

    --== Initialization Complete ==--

______ -> Barnyard2 <-
/ ,,_ \ Version 2.1.9 (Build 263)
|o" )~| By the SecurixLive.com Team: http://www.securixlive.com/about.php

  • '''' + (C) Copyright 2008-2010 SecurixLive.

       Snort by Martin Roesch & The Snort Team: http://www.snort.org/team.html
       (C) Copyright 1998-2007 Sourcefire Inc., et al.
    

Using waldo file '/var/log/barnyard2/barnyard2.waldo':
spool directory = /var/log/snort
spool filebase = alert
time_stamp = 1340435023
record_idx = 83
Opened spool file '/var/log/snort/alert.1340435023'

Waiting for new data

Record Totals:
Records: 320
Events: 320 (100.000%)

Packets: 0 (0.000%)

Packet breakdown by protocol (includes rebuilt packets):
ETH: 0 (0.000%)
ETHdisc: 0 (0.000%)
VLAN: 0 (0.000%)
IPV6: 0 (0.000%)
IP6 EXT: 0 (0.000%)
IP6opts: 0 (0.000%)
IP6disc: 0 (0.000%)
IP4: 0 (0.000%)
IP4disc: 0 (0.000%)
TCP 6: 0 (0.000%)
UDP 6: 0 (0.000%)
ICMP6: 0 (0.000%)
ICMP-IP: 0 (0.000%)
TCP: 0 (0.000%)
UDP: 0 (0.000%)
ICMP: 0 (0.000%)
TCPdisc: 0 (0.000%)
UDPdisc: 0 (0.000%)
ICMPdis: 0 (0.000%)
FRAG: 0 (0.000%)
FRAG 6: 0 (0.000%)
ARP: 0 (0.000%)
EAPOL: 0 (0.000%)
ETHLOOP: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
DISCARD: 0 (0.000%)
InvChkSum: 0 (0.000%)
S5 G 1: 0 (0.000%)
S5 G 2: 0 (0.000%)

Total: 0

Kind Regards, Herbert

Collaborator

binf commented Jun 27, 2012

Use output unified2 instead of output alert_unified2

@firnsy firnsy closed this Dec 6, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment