Re: [Sguil-devel] Trying out sguil 0.6.1, some errors encountered
Status: Beta
Brought to you by:
bamm
From: Jonathan G. <jon...@se...> - 2007-02-27 14:47:46
|
Hi Bamm Thanks for the reply Prior to running the sensor and server for the first time I had created a fresh db. This error had occured a few times. Each time I drop the full db and run the create script again (the create_sguildb.sql file) The error keeps happening. I dropped the tables you suggested, (sancp was missing) and restarted sguild this time, after a short while I see this in the syslog Feb 27 14:43:05 sun1 SGUILD: Loading access list: /etc/sguild/sguild.access Feb 27 14:43:05 sun1 SGUILD: Sensor access list set to ALLOW ANY. Feb 27 14:43:05 sun1 SGUILD: Client access list set to ALLOW ANY. Feb 27 14:43:05 sun1 SGUILD: Email Configuration: Feb 27 14:43:05 sun1 SGUILD: Config file: /etc/sguild/sguild.email Feb 27 14:43:05 sun1 SGUILD: Enabled: No Feb 27 14:43:05 sun1 SGUILD: Connecting to master.db.securecirt.com on 3306 as root Feb 27 14:43:05 sun1 SGUILD: MySQL Version: version 5.0.18-log Feb 27 14:43:05 sun1 SGUILD: SguilDB Version: 0.11 Feb 27 14:43:05 sun1 SGUILD: Creating event MERGE table. Feb 27 14:43:05 sun1 SGUILD: Creating tcphdr MERGE table. Feb 27 14:43:05 sun1 SGUILD: Creating udphdr MERGE table. Feb 27 14:43:05 sun1 SGUILD: Creating icmphdr MERGE table. Feb 27 14:43:05 sun1 SGUILD: Creating data MERGE table. Feb 27 14:43:05 sun1 SGUILD: Loaderd Forked Feb 27 14:43:05 sun1 SGUILD: Queryd Forked Feb 27 14:43:05 sun1 SGUILD: Retrieving DB info... Feb 27 14:43:05 sun1 SGUILD: SELECT hostname FROM sensor ORDER BY hostname ASC Feb 27 14:43:05 sun1 SGUILD: SELECT sid FROM sensor WHERE hostname='securecirt-office' Feb 27 14:43:05 sun1 SGUILD: SELECT ip FROM sensor WHERE hostname='securecirt-office' Feb 27 14:43:05 sun1 SGUILD: SELECT MAX(timestamp) FROM event WHERE sid=1 Feb 27 14:43:05 sun1 SGUILD: Unknown command received from sguild: and a few seconds after that this appears on the console I ran sguild from mysqlsel/db server: Can't find file: 'event' (errno: 2) while executing "mysqlsel $MAIN_DB_SOCKETID $query -flatlist" (procedure "FlatDBQuery" line 5) invoked from within "FlatDBQuery $tmpQuery" ("foreach" body line 15) invoked from within "foreach sensorName $sensorList { set tmpQuery "SELECT sid FROM sensor WHERE hostname='$sensorName'" LogMessage " $tmpQuery" set sensorSi..." (file "/usr/local/bin/sguild" line 526) any more hints? Many thanks Jonathan Bamm Visscher wrote: > It looks like your MERGE definition is corrupt. Stop sguild and then > from a mysql prompt using sguildb do: DROP TABLES event, tcphdr, > udphdr, icmphdr, data, sancp; > > You wont use any data. Start sguild back up and see if that corrects > the problem. > > Bammkkkk > > On 2/27/07, Jonathan Gill <jon...@se...> wrote: > >> Hi All, >> >> Im trying out version 0.6.1 of sguil (seems to be the latest on the >> site) but im running into some issues when using it. >> >> All is compiled and installed correctly (as far as I can see) following >> the install docs, but when trying to show packet data within the client >> (on windows) I see the following errors on the console for sguild >> >> Error: mysqlsel/db server: Can't find file: 'event' (errno: 2) >> mysqlsel/db server: Can't find file: 'event' (errno: 2) >> while executing >> "mysqlsel $MAIN_DB_SOCKETID $query -flatlist" >> (procedure "FlatDBQuery" line 5) >> invoked from within >> "FlatDBQuery $query" >> (procedure "GetIPData" line 4) >> invoked from within >> "$clientCmd $socketID $index1 $index2 " >> ("GetIPData" arm line 1) >> invoked from within >> "switch -exact $clientCmd { >> DeleteEventID { $clientCmd $socketID $index1 $index2 } >> DeleteEventIDList { $clientCmd $socketID $data1 } >> ..." >> (procedure "ClientCmdRcvd" line 30) >> invoked from within >> "ClientCmdRcvd sock14" >> SGUILD: killing child procs... >> SGUILD: Exiting... >> >> Note this was run with sguild configured to write to a brand new clean >> database, it did create all the tables when the sensor first connected >> (db is named sguildb06) >> >> When restarting sguild I see the following within the syslog messages >> Feb 27 09:52:40 sun1 SGUILD: MySQL Version: version 5.0.18-log >> Feb 27 09:52:40 sun1 SGUILD: SguilDB Version: 0.11 >> Feb 27 09:52:40 sun1 SGUILD: >> ************************************************************* >> >> ERROR: You appear to be using an old version of the sguil database >> schema that does not support the MERGE tables Please use the >> migrate_event.tcl script and see the CHANGES document for more >> information . Table event returned status => event {} {} {} {} {} {} {} >> {} {} {} {} {} {} {} {} {} {Can't find file: 'event' (errno: 2)} >> ************************************************************* >> >> Any advice or hints from anyone? >> >> Thanks >> >> Jonathan >> >> -- >> Jonathan Gill >> SecureCiRT Pte Ltd >> http://www.securecirt.com/ >> PGP : 315C 314D CD36 CBFF 728E F167 FCD8 15B7 0287 >> >> >> >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share your >> opinions on IT & business topics through brief surveys-and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> _______________________________________________ >> Sguil-devel mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-devel >> >> > > > -- Jonathan Gill SecureCiRT Pte Ltd http://www.securecirt.com/ PGP : 315C 314D CD36 CBFF 728E F167 FCD8 15B7 0287 |