On Thu, 2014-07-03 at 10:55 -0400, Bamm Visscher wrote:
Is there more output from the debug you can send?


Bamm


On Thu, Jul 3, 2014 at 9:09 AM, James Lay <jlay@slave-tothe-box.net> wrote:
On Thu, 2014-07-03 at 08:08 -0400, Bamm Visscher wrote:
I would check to make sure the localtime for your sensors/servers are all set to UTC. Not just the DB.


Bamm


On Wed, Jul 2, 2014 at 9:40 PM, James Lay <jlay@slave-tothe-box.net> wrote:
On Wed, 2014-07-02 at 19:22 -0600, James Lay wrote:
On Wed, 2014-07-02 at 20:53 -0400, Bamm Visscher wrote:
Did this cause your DB to fail again? Restarting BY should fix it.


Bamm


On Wed, Jul 2, 2014 at 8:16 PM, James Lay <jlay@slave-tothe-box.net> wrote:
On Wed, 2014-07-02 at 12:47 -0400, Bamm Visscher wrote:
Hi James,


This does look like there is a TZ issue at play. I'll dig deeper when I get a chance this evening. One way to get back up would be to temporarily disable the autocat rule that is triggering the update.


Bamm



And again...moments ago:

Jul  2 18:01:59 x.x.x.x barnyard2[15859]: FATAL ERROR: sguil: Expected Confirm 904 and got: Failed to insert 904: mysqlexec/db server: Duplicate entry 4-904 for key PRIMARY#012.  I'm officially at a loss at one to do now besides roll back to 0.8.0.

James

Negative....sguild will no longer start....exact same thing as earlier...around the same time as well:

[19:20:47 @ids:~$] mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist
    while executing
"mysqlexec $MAIN_DB_SOCKETID $updateString"
    (procedure "UpdateDBStatus" line 11)
    invoked from within
"UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
    (procedure "AutoCat" line 43)
    invoked from within
"AutoCat $row"
    ("foreach" body line 6)
    invoked from within
"foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
 
        InfoMessage "Archived Alert: $row"
        set LAST_EVENT_ID([lindex $row 3]) "[li..."
    invoked from within
"if { $mergeTableListArray(event) != "" } {

    # Get the archived alerts
    LogMessage "Querying DB for archived events..."
    set MAJOR_MYSQL_VERS..."
    (file "/opt/bin/sguil/sguild" line 734)






Ok Bamm.....I'll try that....is that going to fix my current inability to start sguild, or will I have to redo the db again?  Thank you.

James


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users





--
sguil - The Analyst Console for NSM
http://www.sguil.net
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Sguil-users mailing list
Sguil-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sguil-users

Here's the full debug:

2014-07-03 15:06:48 pid(5657)  Loading access list: /opt/etc/snort/sguild/sguild.access
2014-07-03 15:06:48 pid(5657)  Sensor access list set to ALLOW ANY.
2014-07-03 15:06:48 pid(5657)  Client access list set to ALLOW ANY.
2014-07-03 15:06:48 pid(5657)  Email Configuration:
2014-07-03 15:06:48 pid(5657)    Config file: /etc/sguild/sguild.email
2014-07-03 15:06:48 pid(5657)    Enabled: No
2014-07-03 15:06:48 pid(5657)  Connecting to localhost on 3306 as sguil
2014-07-03 15:06:48 pid(5657)  MySQL Version: version 5.5.37-0ubuntu0.12.04.1
2014-07-03 15:06:48 pid(5657)  SguilDB Version: 0.14
2014-07-03 15:06:48 pid(5657)  Creating event MERGE table.
2014-07-03 15:06:48 pid(5657)  Creating tcphdr MERGE table.
2014-07-03 15:06:48 pid(5657)  Creating udphdr MERGE table.
2014-07-03 15:06:48 pid(5657)  Creating icmphdr MERGE table.
2014-07-03 15:06:48 pid(5657)  Creating data MERGE table.
2014-07-03 15:06:48 pid(5659)  Loaderd Forked
2014-07-03 15:06:48 pid(5657)  Retrieving DB info...
2014-07-03 15:06:48 pid(5657)    SELECT sid, net_name, hostname, agent_type FROM sensor WHERE active='Y' ORDER BY net_name, sid ASC
2014-07-03 15:06:48 pid(5660)  Queryd Forked
2014-07-03 15:06:48 pid(5657)    SELECT MAX(timestamp) FROM event WHERE sid=4
2014-07-03 15:06:48 pid(5657)    SELECT MAX(timestamp) FROM event WHERE sid=2
2014-07-03 15:06:48 pid(5657)    SELECT MAX(timestamp) FROM event WHERE sid=3
2014-07-03 15:06:48 pid(5657)    SELECT MAX(timestamp) FROM event WHERE sid=1
2014-07-03 15:06:48 pid(5657)  Querying DB for archived events...
mysqlexec/db server: Table 'sguildb.event_External_20140703' doesn't exist
    while executing
"mysqlexec $MAIN_DB_SOCKETID $updateString"
    (procedure "UpdateDBStatus" line 11)
    invoked from within
"UpdateDBStatus [lindex $data 3] [lindex $data 4] [lindex $data 5] [lindex $data 6] [GetCurrentTimeStamp] $AUTOID $acCat($rid)"
    (procedure "AutoCat" line 43)
    invoked from within
"AutoCat $row"
    ("foreach" body line 6)
    invoked from within
"foreach row [mysqlsel $MAIN_DB_SOCKETID $tmpQry -list] {
 
        InfoMessage "Archived Alert: $row"
        set LAST_EVENT_ID([lindex $row 3]) "[li..."
    invoked from within
"if { $mergeTableListArray(event) != "" } {

    # Get the archived alerts
    LogMessage "Querying DB for archived events..."
    set MAJOR_MYSQL_VERS..."
    (file "/opt/bin/sguil/sguild" line 734)
2014-07-03 15:06:48 pid(5659)  Unknown command received from sguild:

Thanks Bamm.

James