Re: [Sguil-users] Problem with running processes on separate boxes using 0.6.0rc3
Status: Beta
Brought to you by:
bamm
From: Brian A. H. <hug...@is...> - 2005-11-18 22:04:33
|
Thanks Richard, BTW nice book (The TAO of Network Security Monitoring) :-) This get's me a bit closer. It has stopped complaining now, but it also does not seem to be writing anyghing to the database. The only tables that have any content are sensor, status, user_info, and version. My first thought is that in the new scheme of things that sguild has problems, but it looks OK: [sguil@SGUIL-Server server]$ ./sguild -c sguild.conf -u sguild.users -O /usr/local/lib/libtls1.50.so -C /usr/local/etc/snort KEY is /usr/local/etc/snort/sguild.key pid(13462) Loading access list: ./sguild.access pid(13462) Sensor access list set to ALLOW ANY. pid(13462) Client access list set to ALLOW ANY. pid(13462) Email Configuration: pid(13462) Config file: ./sguild.email pid(13462) Enabled: No pid(13463) Loaderd Forked pid(13464) Queryd Forked pid(13462) Retrieving DB info... pid(13462) Warning: Event table appears to be empty. pid(13462) If this is a new DB, then you can safely ignore this warning. pid(13462) Retrieving DB info... pid(13462) Sguild Initialized. pid(13462) Connect from xxx.yyy.zzz.30:51819 sock13 pid(13462) Validating sensor access: xxx.yyy.zzz.30 : pid(13462) ALLOWED pid(13462) Client Connect: xxx.yyy.zzz.70 32943 sock14 pid(13462) Validating client access: xxx.yyy.zzz.70 pid(13462) Valid client access: xxx.yyy.zzz.70 pid(13462) sock14 added to clientList So that appears to be working correctly. Everything else seems to start normally too, but nothing makes it to the database and of course in turn nothing makes it to the SQUIL client. Any suggestions on where to look? Thanks & Best Regards, Brian Richard Bejtlich wrote: >On 11/18/05, Brian A. Hughes <hug...@is...> wrote: > > >>Hi Everyone, >> >>I have sensors on separate boxes, database on another box, and SGUIL >>server on another box, and of course the client on yet another box. I >>used to have the following in my barnyard.conf file: >> >> >> > >Hi Brian, > >Sguil 0.6.0 has a new communications architecture, something like this: > >Snort -> Barnyard -> sensor_agent.tcl -> sguild -> MySQL > >In other words, Barnyard does not talk directly to MySQL anymore. > >You tell Sguil about your database server in the sguild.conf file: > >http://cvs.sourceforge.net/viewcvs.py/sguil/sguil/server/sguild.conf?rev=1.28&view=markup > ># DataBase Info >set DBNAME sguildb >set DBPASS "" >set DBHOST localhost >set DBPORT 3306 >set DBUSER root > >Did you set this information properly? > >You should start sguild first, then sensor_agent.tcl, and then barnyard. > >Sincerely, > >Richard > > |