barnyard2 won’t log to database – how to fix it

What to do when barnyard2 won’t log to the database….

Are you seeing something like this?

[SignatureReferencePullDataStore()]: No Reference found in database ...

Full text:

# /usr/local/bin/barnyard2 -c /etc/barnyard2.conf -d /var/log/snort -f snort.log -w /var/log/barnyard2/barnyard2.waldo
Running in Continuous mode

        --== Initializing Barnyard2 ==--
Initializing Input Plugins!
Initializing Output Plugins!
Parsing config file "/etc/barnyard2.conf"


+[ Signature Suppress list ]+
----------------------------
+[No entry in Signature Suppress List]+
----------------------------
+[ Signature Suppress list ]+

Barnyard2 spooler: Event cache size set to [2048]
Log directory = /var/log/barnyard2/
INFO database: Defaulting Reconnect/Transaction Error limit to 10
INFO database: Defaulting Reconnect sleep time to 5 second
[SignatureReferencePullDataStore()]: No Reference found in database ...
database: compiled support for (mysql)
database: configured to use mysql
database: schema version = 107
database:           host = localhost
database:           user = snort
database:  database name = snort
database:    sensor name = some.hostname:eth0
database:      sensor id = 1
database:     sensor cid = 2
database:  data encoding = hex
database:   detail level = full
database:     ignore_bpf = no
database: using the "log" facility

        --== Initialization Complete ==--

  ______   -*> Barnyard2 < *-
 / ,,_  \  Version 2.1.13 (Build 327)
 |o"  )~|  By Ian Firns (SecurixLive): http://www.securixlive.com/
 + '''' +  (C) Copyright 2008-2013 Ian Firns 

WARNING: Ignoring corrupt/truncated waldofile '/var/log/barnyard2/barnyard2.waldo'

Take a look at how you are running snort

Wrong Way examples

/usr/sbin/snort -b -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

/usr/sbin/snort -A -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

Right Way

 /usr/sbin/snort -d -D -i eth0 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort

What’s causing this problem?

You have enabled one or more of these switches when running snort: -A -b

More details please….

Those switches translate to ALERTMODE and BINARY_LOG

#### Logging & Alerting

# NOTE: NO_PACKET_LOG and BINARY_LOG, ALERTMODE, etc. are mutually
# exclusive. Use either NO_PACKET_LOG or any/all of the other logging
# options. But the more logging options use you, the slower Snort will run.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.