Problem Logging SNORT Data to Mysql Database
 

Hi All
I have setup SNORT IDS with base on RED HAT 4 EL. Snort is running and base is running however, snort is not logging any data to the MySQL database.
Upon further investigation I checked a FAQ and the following was stated :

No events are getting logged to the database

There are potentially numerous causes for this problem:
Confirm that the command line arguments are not overriding the logging configuration. (an error of "WARNING: command line overrides rules file alert plugin!" should be displayed). Using "-A" or "-s" will override any database logging configuration. If multiple output targets are desired (e.g. logging to a file and the database), use the configuration file to setup these plugins.

When I start snort using /etc/init.d/snort start I get the following two alerts in /var/log/messages

Sep 26 11:13:46 xmpp snort: command line overrides rules file logging plugin!
Sep 26 11:13:46 xmpp snort: command line overrides rules file alert plugin!

These are the direct result of uncommenting the following two lines in snort.conf

output log_tcpdump: tcpdump.log
output database: log, mysql, user=snort password=tasdwfgr dbname=snort host=localhost

Now the thing is that I do start snort using /etc/init.d/snortd start and that file reads it's config parameters from /etc/sysconfig/snort.conf

I have no clue what needs to be done now.

Any clues ?

Is Snort *really* running?
Did you set all the required variables in snort.conf?
Tested the config with "-T"?
Is it a version that was compiled with database support?
Do you have all dependencies installed?


So what's the commandline args of snort?


Does it log to that packet capture file?


Can you confirm the "create_mysql" post-install script was run to create the database?
Did you "Create BASE AG" from the BASE GUI?
Can you confirm the dbname, database user exist and the user was granted access?
What happens if you connect to the database with the user:pass manually?


Any other log output?
And if you set verbose mode for the duration of testing?

Yes snort is running and logging successfully to it's log files. And yes the database is created and ready to receive input. I did not provide any arguments to SNORT I only started the daemon.

Did you set all the required variables in snort.conf? I uncommented the db section for MySQL and entered the username,db,pwd,hostname and tripple checked that data.
Does it have all dependencies installed ? I used an rpm package..so it should have all dependencies installed.

Does it log to that packet capture file? Yes
Can you confirm the "create_mysql" post-install script was run to create the database? YES
Did you "Create BASE AG" from the BASE GUI? YES
Can you confirm the dbname, database user exist and the user was granted access? YES
What happens if you connect to the database with the userass manually? Successful Logon

Should check args anyway.


I'm asking because there are (or at least where able to build) different versions of the Snort package: plain, bloated, with database support... Since you say it does log PCAP and everything is OK on the db side running the "wrong" version would be my only guess. You see, if I uncomment the db settings in snort.conf it will still run happily and not log any warning about db's or that. If that isn't it then I'd take this issue to the Snort users mailing list.

Same or Not ????
 

dear ,
well when i start this
/usr/local/snort/snort-2.8.0/etc # snort -c snort.conf -v -i eth0
in the shell to start snort with a a log in a database
it doesn't work !!!!!
and when i try this
/usr/local/snort/snort-2.8.0/etc # snort -c snort.conf -v -i lo
it works great
CAN you help me please !! i dono what i 'll do with this error
thanks .