Re: [Sguil-users] Sguil Crashes at Startup
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil Crashes at Startup
|
From: Bamm V. <bam...@gm...> - 2009-12-30 21:03:07
|
Sguild recreates the MERGE tables on init. I seem to remember running across this issue before and can't remember for the life of me what the problem was. I _think_ it was a mysql or OS resources issue. Bamm On Wed, Dec 30, 2009 at 3:53 PM, Eoin Miller <eoi...@tr...> wrote: > Sguil *needs* the merge tables in order to do SELECT statements. You > need to recreate them: > > http://dev.mysql.com/doc/refman/5.0/en/merge-storage-engine.html > > -- Eoin > > lhe...@ve... wrote: >> I should clarify, I dropped the merge tables not the DB tables. Your >> assistance is greatly appreciated >> >> >> Dec 30, 2009 02:28:36 PM, sgu...@li... wrote: >> >> >> Dropping tables may not work for Sguil. However, generally you can >> always drop the 'sguildb' database and sguild will attempt to recreate >> the 'sguildb' database for you. >> >> The quickest way to drop the sguildb database and still preserve data >> would be to 1) stop mysqld,. 2) rename the sguildb database directory, >> 3) restart mysql and sguil . >> >> The problem with this method is that when the sensors automatically >> reconnect to sguild, they will be assigned 'new' sid's generated >> for the >> new database. So, unless the sensor agents are restarted, some agents >> will continue sending data (i.e. events) containing the old >> 'sid's. The >> result is events that do not match valid sensors. One way to avoid >> this >> problem, restart the sensor agents -prior- to restarting sguild. >> >> /etc/init.d/mysql stop >> mv /var/lib/mysql/sguildb /var/lib/mysql/sguildb.20091230 >> /etc/init.d/mysql start >> cd /usr/local/bin/server >> ( stop sensor agents ) >> ./sguild -- -c sguild.conf >> "Error: mysqluse/db server: Unknown database 'sguildb'" >> "The database sguildb does not exist. Create it ([y]/n?): y >> "Path to create_sguildb.sql [./sql_scripts/create_sguildb.sql]: >> Creating the sguildb - ok >> .... >> ( start sensor agents ) >> >> -John >> >> >> lhe...@ve... wrote: >> > I have Dropped Tables run mysqlcheck and get the following errors at >> > startup I am new and any help would be greatly appreciated. >> > >> > mysqlsel/db server: MySQL server has gone away >> > while executing >> > "mysqlsel $MAIN_DB_SOCKETID $tmpQry -list" >> > invoked from within >> > "if { $mergeTableListArray(event) != "" } { >> > >> > # Get the archived alerts >> > LogMessage "Querying DB for archived events..." >> > set MAJOR_MYSQL_VERS..." >> > (file "/etc/sguild/sguild" line 638) >> > >> > On the mysqld.log I get this: >> > >> > Trying to get some variables. >> > Some pointers may be invalid and cause the dump to abort... >> > thd->query at 0x90410e8 = SELECT event.status, event.priority, >> > event.class, sensor.hostname, >> > event.timestamp, event.sid, event.cid, event.signature, >> > INET_NTOA(event.src_ip), INET_NTOA(event.dst_ip), event.ip_proto, >> > event.src_port, event.dst_port, event.signature_gen, >> event.signature_id, >> > event.signature_rev, event.unified_event_id, unified_event_ref >> > FROM event >> > FORCE INDEX (status) >> > JOIN sensor ON event.sid=sensor.sid >> > WHERE event.status=0 ORDER BY event.timestamp ASC >> > thd->thread_id=17 >> > The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html >> > contains >> > information that should help you find out what is causing the crash. >> > >> > When I run the select statement against the database it cokes up >> with >> > no errors. >> > >> ------------------------------------------------------------------------ >> > >> > >> ------------------------------------------------------------------------------ >> > This SF.Net email is sponsored by the Verizon Developer Community >> > Take advantage of Verizon's best-in-class app development support >> > A streamlined, 14 day to market process makes app distribution >> fast and easy >> > Join now and get one step closer to millions of Verizon customers >> > http://p.sf.net/sfu/verizon-dev2dev >> > >> ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Sguil-users mailing list >> > Sgu...@li... >> > https://lists.sourceforge.net/lists/listinfo/sguil-users >> > >> >> >> ------------------------------------------------------------------------------ >> This SF.Net email is sponsored by the Verizon Developer Community >> Take advantage of Verizon's best-in-class app development support >> A streamlined, 14 day to market process makes app distribution >> fast and easy >> Join now and get one step closer to millions of Verizon customers >> http://p.sf.net/sfu/verizon-dev2dev >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> This SF.Net email is sponsored by the Verizon Developer Community >> Take advantage of Verizon's best-in-class app development support >> A streamlined, 14 day to market process makes app distribution fast and easy >> Join now and get one step closer to millions of Verizon customers >> http://p.sf.net/sfu/verizon-dev2dev >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users > -- sguil - The Analyst Console for NSM http://sguil.sf.net |