Hi. I am using security/snort for event management, in past security/snort used to log events in database but since version 2.9.3 the maintainer of the port detached event logging features and suggested using security/barnyard2. Till recently I was using old security/snort with event logging features but due to recent devel/pcre update I can't use old package. I have tried configuring security/barnyard2 but it fails with following errors -
/usr/local/etc/snort/snort.conf http://pastebin.ca/2303257
/usr/local/etc/barnyard2.conf http://pastebin.ca/2303265
I have censored output database in above file.
Code:
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM data WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM event WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM icmphdr WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM iphdr WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM opt WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM tcphdr WHERE sid='2';]
Jan 16 01:03:08 apogee barnyard2[4763]: database: [SynchronizeEventId()]: Problems executing [SELECT MAX(cid) FROM udphdr WHERE sid='2';]
Jan 16 01:03:12 apogee barnyard2[4763]: database: compiled support for (mysql)
Jan 16 01:03:12 apogee barnyard2[4763]: database: configured to use mysql
Jan 16 01:03:12 apogee barnyard2[4763]: database: schema version = 107
Jan 16 01:03:12 apogee barnyard2[4763]: database: host = localhost
Jan 16 01:03:12 apogee barnyard2[4763]: database: user = xxxx
Jan 16 01:03:12 apogee barnyard2[4763]: database: database name = xxxxx
Jan 16 01:03:12 apogee barnyard2[4763]: database: sensor name = apogee.xxx.xxx:re0
Jan 16 01:03:12 apogee barnyard2[4763]: database: sensor id = 2
Jan 16 01:03:12 apogee barnyard2[4763]: database: sensor cid = 4
Jan 16 01:03:12 apogee barnyard2[4763]: database: data encoding = hex
Jan 16 01:03:12 apogee barnyard2[4763]: database: detail level = full
Jan 16 01:03:12 apogee barnyard2[4763]: database: ignore_bpf = no
Jan 16 01:03:12 apogee barnyard2[4763]: database: using the "log" facility
Jan 16 01:03:12 apogee barnyard2[4763]:
Jan 16 01:03:12 apogee barnyard2[4763]: --== Initialization Complete ==--
Jan 16 01:03:12 apogee barnyard2[4763]: Barnyard2 initialization completed successfully (pid=4763)
Jan 16 01:03:12 apogee barnyard2[4763]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/barnyard2.waldo'
Jan 16 01:03:12 apogee barnyard2[4763]: ERROR: Unable to open directory '' (No such file or directory)
Jan 16 01:03:12 apogee barnyard2[4763]: ERROR: Unable to find the next spool file!
Jan 16 01:03:12 apogee barnyard2[4763]: ===============================================================================
Jan 16 01:03:12 apogee barnyard2[4763]: Record Totals:
Jan 16 01:03:12 apogee barnyard2[4763]: Records: 0
Jan 16 01:03:12 apogee barnyard2[4763]: Events: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: Packets: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: Unknown: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ===============================================================================
Jan 16 01:03:12 apogee barnyard2[4763]: Packet breakdown by protocol (includes rebuilt packets):
Jan 16 01:03:12 apogee barnyard2[4763]: ETH: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ETHdisc: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: VLAN: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IPV6: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IP6 EXT: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IP6opts: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IP6disc: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IP4: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IP4disc: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: TCP 6: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: UDP 6: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ICMP6: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ICMP-IP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: TCP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: UDP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ICMP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: TCPdisc: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: UDPdisc: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ICMPdis: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: FRAG: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: FRAG 6: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ARP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: EAPOL: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: ETHLOOP: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: IPX: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: OTHER: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: DISCARD: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: InvChkSum: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: S5 G 1: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: S5 G 2: 0 (0.000%)
Jan 16 01:03:12 apogee barnyard2[4763]: Total: 0
Jan 16 01:03:12 apogee barnyard2[4763]: ===============================================================================
Jan 16 01:03:15 apogee kernel: TCP: [127.0.0.1]:57381 to [127.0.0.1]:161 tcpflags 0x2<SYN>; tcp_input: Connection attempt to closed port
/usr/local/etc/snort/snort.conf http://pastebin.ca/2303257
/usr/local/etc/barnyard2.conf http://pastebin.ca/2303265
I have censored output database in above file.