Randy,
Well -- I downgraded the MySQL client on the sensor box to 4.1.16 from
5.0.21 or 0.18 (I forget). I restarted the mysql server process and low
and behold:
barnyard[35712]: Lost connection to MySQL server. Reconnecting
barnyard[35712]: Reconnected to MySQL server.
very nice.
Next test.. stop the mysql server altogether. Trigger an alert.. wait..
start the mysql server back up again. Result:
barnyard[35712]: Lost connection to MySQL server. Reconnecting
barnyard[35712]: Reconnected to MySQL server.
Great! It appears to be a MySQL 5.0 client thing.. or atleast the
configuration I have in it? Works fine now though.
Thanks again for the assistance. If anyone knows why with 5.0 it gives up
and doesn't reconnect.. please feel free to share.
Steven
> I just happen to have a testing environment here to try it for you.
>
> My remote snort sensor is recording 4 icmp alerts every minute.
> Barnyard is sending them to a central mysql db on a separate machine.
> This is through an ipsec tunnel.
>
> I stopped the central mysql daemon.
> Pinged my remote sensor a few more times for good luck.
> Saw that snort was indeed logging them to the remote sensors uni file.
> Waited a bit more and then went back to the central machine and started
> mysql.
>
> No problem. Barnyard sent all the alerts once mysql was back up.
>
> Randy.
>
>
> -----Original Message-----
> From: Steven Adair [mailto:steven@xxxxxxxxxxxxx]
> Sent: May 11, 2006 11:13 AM
> To: Randy Walinga
> Cc: steven@xxxxxxxxxxxxx; barnyard-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: RE: [Barnyard-users] Barnyard MySQL DB Reconnection Problem
>
>
> Hmm -- not sure if it could be MySQL or not. What happens if you restart
> your remote MySQL database? Does it just reconnect on it its own?
> Perhaps I will test it without SSL -- I know when I was testing this with
> SSL disabled on a different server + stunnel -- I had the same problem if
> connection was lost (randomly, or mysql restart, or stunnel restart).
>
> I'll give it a shot without SSL and see. Does your barnyard reconnect
> fine when a connection is lost without SSL?
>
> Thanks
>
> Steven
>
>
>> I have been using barnyard (0.2.0 b32) on many sensors back to a mysql
>> (4.1.7) central db for years and have never had the problem you
> describe.
>>
>> Sometimes we could have zero activity for days at a remote location over
>> the weekend, or there could be network outages etc., but barnyard always
>> works.
>>
>> I don't use OpenSSL, instead my connections are through ipsec tunnels.
>>
>> I know it seems like a barnyard problem according to your description
> and
>> the logs, but I am not so sure. Test it without the ssl maybe? Or
> maybe
>> it's even something with your MySQL?
>>
>> Randy.
>>
>>
>> -----Original Message-----
>> From: barnyard-users-admin@xxxxxxxxxxxxxxxxxxxxx
>> [mailto:barnyard-users-admin@xxxxxxxxxxxxxxxxxxxxx]On Behalf Of Steven
>> Adair
>> Sent: May 11, 2006 9:57 AM
>> To: barnyard-users@xxxxxxxxxxxxxxxxxxxxx
>> Subject: [Barnyard-users] Barnyard MySQL DB Reconnection Problem
>>
>>
>> Howdy,
>>
>> Maybe someone can help me out with this problem as I am sure it must be
> a
>> pretty common one (or so I would think).
>>
>> Quick info before I start:
>>
>> Senor: Version 2.4.3 (Build 26)
>> Sensor: Barnyard Version 0.2.0 (Build 32)
>> DB Server: MySQL: 5.0.21 with OpenSSL enabled.
>>
>> I use snort + barnyard to write to my remote MySQL db (remote being on
> the
>> same subnet but another machine). Alerting, logging, and inserting into
>> the database works fine. However, after period of inactivity, or if the
>> database is restarted -- we lose connection at some point. The next
> time
>> a snort alert is triggered and barynard attempts to write to the
> database
>> I get this problem:
>>
>> myhost1 barnyard[71485]: Lost connection to MySQL server. Reconnecting
>>
>> It doesn't appear to actually ever try and reconnect or anything. Short
>> of restarting barnyard I can't see a way to fix this. This doesn't seem
>> like it should be normal behavior. Is there a way to have barnyard
>> /actually/ reconnect to the database? Why must it be restarted in order
>> to truly reconnect.
>>
>> Is there a work around or fix for this? I've found limited responses on
>> the web, but I would have to think everyone using a remote db + barnyard
>> has to have this problem. Besides restarting barnyard every so often or
>> monitoring /var/log/messages for "Lost connection to MySQL server." and
>> restarting the process -- is there another way to correct this issue?
>>
>> Thanks
>>
>>
>>
>>
>> -------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
> security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Barnyard-users mailing list
>> Barnyard-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/barnyard-users
>> ###########################################
>>
>> This message has been scanned by F-Secure Anti-Virus for Microsoft
>> Exchange.
>> For more information, connect to http://www.F-Secure.com/
>>
>>
>>
>> -------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services,
> security?
>> Get stuff done quickly with pre-integrated technology to make your job
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Barnyard-users mailing list
>> Barnyard-users@xxxxxxxxxxxxxxxxxxxxx
>> https://lists.sourceforge.net/lists/listinfo/barnyard-users
>>
>>
>>
>
>
> ###########################################
>
> This message has been scanned by F-Secure Anti-Virus for Microsoft
> Exchange.
> For more information, connect to http://www.F-Secure.com/
>
>
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Barnyard-users mailing list
> Barnyard-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/barnyard-users
>
> !DSPAM:446362d0276301094955996!
>
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
|
