It seems snort is not logging everything to the database.

So far it has logged (output from BASE):
Sensors/Total: 1 / 1
Unique Alerts: 2
Categories: 2
Total Number of Alerts: 4

But from logging at the log files, it should have a lot more stuff in there:
-rw------- 1 snort snort 37533 Apr 27 20:18 alert
-rw------- 1 snort snort 49456 Apr 27 19:57 snort.log.1209342481
-rw------- 1 snort snort 13040 Apr 27 20:18 snort.log.1209344329

In /etc/snort/snort.conf I tried both log and alert for mysql.

Does anyone know why its not logging everything to the database?

Do I need to have barnyard installed?

The best suggestion I can make is to make a google/linux search for snort logging articles, like this one.

Thanks! I have already done those steps though, those are just the standard instructions.

No, not without diagnostics. What is in the log output? And Snort statistics?


You need Barnyard if you log to binary format (binary format being way faster compared to text format logs).

Thanks! I was logging in regular format and tried with barnyard installed.

I think something in my /etc/my.cnf file fubarred it, and/or I needed to add this line:
wait_timeout = 10000000

New items are showing up in BASE now:
[local] [snort] WEB-MISC /~root access attempted-recon 1(14%) 1 1 1 2008-04-28 21:28:42 2008-04-28 21:28:42

The error in the log file was:
# cat /var/log/messages |grep has\ gone\ away
Apr 28 21:25:59 lds185 snort[4386]: database: mysql_error: MySQL server has gone away SQL=UPDATE sensor SET last_cid = 4 WHERE sid = 1

Thanks for what? I didn't do nothing. You fixed it all by yourself. Well done.

By knowing it wasn't something major/common known issue, I knew I had to look for something minor. You and the other fellow helped point me in the right direction.