barnyard2 syslog warnings about barnyard2 HOT 11 CLOSED

Hmm. On this sensor I'm running ipv6. Dropped packets in the barnyard2 output matches the ipv6 counter.

any clue on when ipv6 is available/working in barnyard2?

Thanks

from barnyard2.

On Sat, Mar 30, 2013 at 12:20 PM, snoep [email protected] wrote:

I'm running barnyard2 Version 2.1.12 (Build 321) on a suricata 1.4.1 sensor to an external database, running ubuntu 12.04 (both machines)

Corresponding config from barnyard2,cof

config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
config event_cache_size: 32768
config logdir: /var/log/barnyard2/
config hostname: webserver
config interface: eth0
config alert_with_interface_name
config dump_payload
config waldo_file: /var/log/suricata/suricata.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, dbname= user= password= host=

syslog is full with errormessages below. I know it's a warning, however I cannot judge if that means I'm missing data

I have been digging around in the docs, to no avail for a proper solution.

Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5dc0] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5e50] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.

WARNING database [Database()]: Called with Event[0xFFFFFFFF] Event
Type XX Packet [0x0], information has not been outputed.

Means that a event was logged without a packet. This will generaly
happen when the cache is flushed, to make space for new event,
on event that have not been logged before.

WARNING database [Database()]: Called with Event[0x0] Event Type XX
Packet [0xFFFFFFFF], information has not been outputed.

Means that a packet without a event was processed and it was sent to
the output plugin

In both context your exposing above it concern UNIFIED2_IDS_EVENT_IPV6 72.

Barnyard2 and the current database schema does not support IPv6. A new
spooler is in the work and a new schema also.
(that is not backward compatible with current UI or existing tools).

Unfortunatly no date can be bound for those features for now.

Hoping this answer some of you questions.

-elz

from barnyard2.

Yep, it does.

 
Many thanks for the prompt reply.

 
Regards

Paul
 
-----Original message-----
From:Eric Lauzon [email protected]
Sent:Sat 30-03-2013 21:37
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:paul [email protected];
On Sat, Mar 30, 2013 at 12:20 PM, snoep [email protected] wrote:

I'm running barnyard2 Version 2.1.12 (Build 321) on a suricata 1.4.1 sensor to an external database, running ubuntu 12.04 (both machines)

Corresponding config from barnyard2,cof

config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
config event_cache_size: 32768
config logdir: /var/log/barnyard2/
config hostname: webserver
config interface: eth0
config alert_with_interface_name
config dump_payload
config waldo_file: /var/log/suricata/suricata.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, dbname= user= password= host=

syslog is full with errormessages below. I know it's a warning, however I cannot judge if that means I'm missing data

I have been digging around in the docs, to no avail for a proper solution.

Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5dc0] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x4bf5e50] Event Type 72acket [0x0], information has not been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]: Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not been outputed.

WARNING database [Database()]: Called with Event[0xFFFFFFFF] Event
Type XX Packet [0x0], information has not been outputed.

Means that a event was logged without a packet. This will generaly
happen when the cache is flushed, to make space for new event,
on event that have not been logged before.

WARNING database [Database()]: Called with Event[0x0] Event Type XX
Packet [0xFFFFFFFF], information has not been outputed.

Means that a packet without a event was processed and it was sent to
the output plugin

In both context your exposing above it concern UNIFIED2_IDS_EVENT_IPV6 72.

Barnyard2 and the current database schema does not support IPv6. A new
spooler is in the work and a new schema also.
(that is not backward compatible with current UI or existing tools).

Unfortunatly no date can be bound for those features for now.

Hoping this answer some of you questions.

-elz

—
Reply to this email directly or view it on GitHub.

from barnyard2.

can close the issue.

from barnyard2.

Hello
I have the same problem snoep
Starting from version 2.1.13 and I IPV6 option is enabled, install, I still
have the error in the log messages, how can I do to get rid of it?
Thank you for your help
Michel

Le samedi 30 mars 2013 21:35:56 UTC+1, Eric Lauzon a écrit :

On Sat, Mar 30, 2013 at 12:20 PM, snoep <[email protected]javascript:>
wrote:

I'm running barnyard2 Version 2.1.12 (Build 321) on a suricata 1.4.1
sensor to an external database, running ubuntu 12.04 (both machines)

Corresponding config from barnyard2,cof

config reference_file: /etc/suricata/reference.config
config classification_file: /etc/suricata/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
config event_cache_size: 32768
config logdir: /var/log/barnyard2/
config hostname: webserver
config interface: eth0
config alert_with_interface_name
config dump_payload
config waldo_file: /var/log/suricata/suricata.waldo
input unified2
output alert_fast: stdout
output database: log, mysql, dbname= user= password= host=

syslog is full with errormessages below. I know it's a warning, however
I cannot judge if that means I'm missing data

I have been digging around in the docs, to no avail for a proper
solution.

Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]:
Called with Event[0x4bf5dc0] Event Type 72acket [0x0], information has not
been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]:
Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not
been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]:
Called with Event[0x4bf5e50] Event Type 72acket [0x0], information has not
been outputed.
Mar 30 16:54:02 web barnyard2[26331]: WARNING database [Database()]:
Called with Event[0x0] Event Type 0acket [0x4e261e0], information has not
been outputed.

WARNING database [Database()]: Called with Event[0xFFFFFFFF] Event
Type XX Packet [0x0], information has not been outputed.

Means that a event was logged without a packet. This will generaly
happen when the cache is flushed, to make space for new event,
on event that have not been logged before.

WARNING database [Database()]: Called with Event[0x0] Event Type XX
Packet [0xFFFFFFFF], information has not been outputed.

Means that a packet without a event was processed and it was sent to
the output plugin

In both context your exposing above it concern UNIFIED2_IDS_EVENT_IPV6
1.

Barnyard2 and the current database schema does not support IPv6. A new
spooler is in the work and a new schema also.
(that is not backward compatible with current UI or existing tools).

Unfortunatly no date can be bound for those features for now.

Hoping this answer some of you questions.

-elz

from barnyard2.

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

from barnyard2.

No, it was not resolved. On the other hand, it does not affect suri, it's just filling the logs. That's why I disabled logging and add checks to nagios to see if it's running

 
If you ever find a solutions, please let me know :)

 
 
Cheers

paul
 
-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 09:38 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

—
Reply to this email directly or view it on GitHub.

from barnyard2.

for me the strange thing is that I have multiple machines using barnyard,
and on only one does it not send the logs to our syslog server.
All of the others send logs just fine, but yes, all of them have logs full
of this particular event.

Any additional thoughts?
Could I be missing something?

On Thu, Oct 16, 2014 at 3:04 PM, snoep [email protected] wrote:

No, it was not resolved. On the other hand, it does not affect suri, it's
just filling the logs. That's why I disabled logging and add checks to
nagios to see if it's running

If you ever find a solutions, please let me know :)

Cheers

paul

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 09:38 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

Matt
"So much to learn, So little time"

from barnyard2.

iptables in the way? wrong config for rsyslog, ip adr of logging server, wrong port?

 
Mismatch in syslog config file, incorrect sequence in logging, logging muted?

 
tcpdump on the receiving host for the syslogs to be sent to see if the problem lies on the sending or receiving host?
 
Just a few thoughts...

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 10:18 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];
for me the strange thing is that I have multiple machines using barnyard,
and on only one does it not send the logs to our syslog server.
All of the others send logs just fine, but yes, all of them have logs full
of this particular event.

Any additional thoughts?
Could I be missing something?

On Thu, Oct 16, 2014 at 3:04 PM, snoep [email protected] wrote:

No, it was not resolved. On the other hand, it does not affect suri, it's
just filling the logs. That's why I disabled logging and add checks to
nagios to see if it's running

If you ever find a solutions, please let me know :)

Cheers

paul

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 09:38 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

--
Matt
"So much to learn, So little time"

—
Reply to this email directly or view it on GitHub.

from barnyard2.

so far, had thought of all of those.
It is sending logs, just only this OpSyslog_Alert() issue.
strangely, the other snort boxes do not send those logs messages.

.... but actually writing this out, this gives me an idea.
Thanks for being a sounding board!

On Thu, Oct 16, 2014 at 3:23 PM, snoep [email protected] wrote:

iptables in the way? wrong config for rsyslog, ip adr of logging server,
wrong port?

Mismatch in syslog config file, incorrect sequence in logging, logging
muted?

tcpdump on the receiving host for the syslogs to be sent to see if the
problem lies on the sending or receiving host?

Just a few thoughts...

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 10:18 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];
for me the strange thing is that I have multiple machines using barnyard,
and on only one does it not send the logs to our syslog server.
All of the others send logs just fine, but yes, all of them have logs full
of this particular event.

Any additional thoughts?
Could I be missing something?

On Thu, Oct 16, 2014 at 3:04 PM, snoep [email protected] wrote:

No, it was not resolved. On the other hand, it does not affect suri,
it's
just filling the logs. That's why I disabled logging and add checks to
nagios to see if it's running

If you ever find a solutions, please let me know :)

Cheers

paul

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 09:38 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

Matt
"So much to learn, So little time"

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

Matt
"So much to learn, So little time"

from barnyard2.

I think that my reply explained the issue pretty clearly.
look at the backlog messages.

On Thu, Oct 16, 2014 at 4:44 PM, Matthew Ulm [email protected]
wrote:

so far, had thought of all of those.
It is sending logs, just only this OpSyslog_Alert() issue.
strangely, the other snort boxes do not send those logs messages.

.... but actually writing this out, this gives me an idea.
Thanks for being a sounding board!

On Thu, Oct 16, 2014 at 3:23 PM, snoep [email protected] wrote:

iptables in the way? wrong config for rsyslog, ip adr of logging server,
wrong port?

Mismatch in syslog config file, incorrect sequence in logging, logging
muted?

tcpdump on the receiving host for the syslogs to be sent to see if the
problem lies on the sending or receiving host?

Just a few thoughts...

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 10:18 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];
for me the strange thing is that I have multiple machines using
barnyard,
and on only one does it not send the logs to our syslog server.
All of the others send logs just fine, but yes, all of them have logs
full
of this particular event.

Any additional thoughts?
Could I be missing something?

On Thu, Oct 16, 2014 at 3:04 PM, snoep [email protected]
wrote:

No, it was not resolved. On the other hand, it does not affect suri,
it's
just filling the logs. That's why I disabled logging and add checks to
nagios to see if it's running

If you ever find a solutions, please let me know :)

Cheers

paul

-----Original message-----
From:Matthew Ulm [email protected]
Sent:Thu 10-16-2014 09:38 pm
Subject:Re: [barnyard2] barnyard2 syslog warnings (#76)
To:firnsy/barnyard2 [email protected];
CC:Paul Snoep [email protected];

@binf
Did you ever get a solution to this?
I have the same issue with snort as well.

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

Matt
"So much to learn, So little time"

—
Reply to this email directly or view it on GitHub.

—
Reply to this email directly or view it on GitHub
#76 (comment).

Matt
"So much to learn, So little time"

—
Reply to this email directly or view it on GitHub
#76 (comment).

from barnyard2.