Snort mailing list archives
Re: [barnyard2-users] Fatal error after upgrading barnyard2
From: Miguel Alvarez <miguellvrz9 () gmail com>
Date: Sat, 29 Sep 2012 19:58:22 +0200
On Sat, Sep 29, 2012 at 5:45 PM, beenph <beenph () gmail com> wrote:
Re-Hoi Miguel, Was this message taken from the system syslog? And did you have previous message that would complement the following? We added some verbosity and i find it curious that there is no companion message. (failed execution path)You're right, I apologise, that was not the complete message. It is: Sep 29 04:13:03 nids12 barnyard2[28532]: FATAL ERROR: database mysql_error: Duplicate entry '6-217828' for key 'PRIMARY' SQL=[INSERT INTO event (sid,cid,signature,timestamp) VALUES (6, 217828, 36, '2012-09-29 04:13:02');]Well the only way i can see that a by2 process would be re-using the same event_id, is that there would be some colision on sensor_id.
The only thing I can think of is that there are a couple of sensor_ids that are missing since I removed the sensors. Here's my snorby DB table (name and hostname omitted): mysql> select * from sensor; +-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+ | sid | name | hostname | interface | filter | detail | encoding | last_cid | events_count | +-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+ | 1 | | | NULL | NULL | 1 | 0 | 302720 | 302733 | | 2 | | | NULL | NULL | 1 | 0 | 28771 | 28775 | | 3 | | | NULL | NULL | 1 | 0 | 5255 | 5261 | | 4 | | | NULL | NULL | 1 | 0 | 341199 | 341929 | | 5 | | | NULL | NULL | 1 | 0 | 2385 | 2403 | | 6 | | | NULL | NULL | 1 | 0 | 217824 | 218558 | | 7 | | | NULL | NULL | 1 | 0 | 78988 | 80071 | | 8 | | | NULL | NULL | 1 | 0 | 487995 | 488163 | | 9 | | | NULL | NULL | 1 | 0 | 282252 | 282261 | | 10 | | | NULL | NULL | 1 | 0 | 2130 | 2139 | | 11 | | | NULL | NULL | 1 | 0 | 296745 | 296968 | | 12 | | | NULL | NULL | 1 | 0 | 145995 | 146027 | | 13 | | | NULL | NULL | 1 | 0 | 13053 | 13100 | | 14 | | | NULL | NULL | 1 | 0 | 243549 | 243720 | | 15 | | | NULL | NULL | 1 | 0 | 7251 | 7260 | | 16 | | | NULL | NULL | 1 | 0 | 79086 | 79151 | | 17 | | | NULL | NULL | 1 | 0 | 388440 | 388582 | | 19 | | | NULL | NULL | 1 | 0 | 222566 | 222799 | | 20 | | | NULL | NULL | 1 | 0 | 143 | 180 | | 21 | | | NULL | NULL | 1 | 0 | 579 | 629 | | 23 | | | NULL | NULL | 1 | 0 | 134 | 153 | +-----+----------------+----------------+-----------+--------+--------+----------+----------+--------------+ 21 rows in set (0.00 sec)
2-1.10 at initialization will query every table to get the latest event id, and increment it, update the sensor table and start inserting. Every db call in 2-1.10 is isolated in a transaction, thus if this happen it means that something else with the same sensor_id inserted before failing transaction was executed. I know this might sound wierd and that you "never had issue" but i would start looking a making sure that all your by2 process have different sensor_id and that they are configured to collide with an other process. An other thing i would look at is if you have on some system a by2 process running in the background that would conflict with your "frontman process". Mabey a process didin't terminate as expected or was started from an other mechanism and is still running. Which could explain:Sep 29 04:11:17 nids12 barnyard2[28536]: Failed to archive file "/var/log/snort/eth7/snort.u2.1348805013" to "/var/log/snort/eth7/snort.u2.1348805013": File exists
I don't think that's the case but will look again. Thanks again for your help! MA ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 28)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Heine Lysemose (Sep 28)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 beenph (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)
- Re: [barnyard2-users] Fatal error after upgrading barnyard2 Miguel Alvarez (Sep 29)