Barnyard2 error with spool current fix did not work

[tacti...@gmail.com]

Ok So im running Ubuntu 1204 server and barnyard2 latest stable and snort 2.9ish

I get these errors when i run barnyard2
Warning:  ignoring corrupt/truncated waldofile ' /var/log/snort/barnyard2.waldo
Error: unable to open directory ' ' (no such file or directory)
Error: unable to find the next spool file!

Ok what I have already tried making sure snort and it files are owned by root and r,w,x for root and its group root and others get to read execute
I have also tried that both ways
ERROR: Unable to find the next spool file!
 Ensure that the waldo file is specified (by the -w option included as a command line argument or in the config file)

I appear to be able to do batch files and it doesn't matter if snort is running or anything else as I have tried this fresh from start up.
the command I run is /root/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2Alt.conf -f /var/log/snort/merged.log.*

Any suggestions would be greatly appreciated guys.

[tacti...@gmail.com]

oo Batch Mode does work just Continuous doesn't work

[beenph]

-f argument is the prefix of the unified2 file your trying to monitor and

-d argument is the directory where you want barnayrd2 to suppervise
spool files.

-elz

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "barnyard2-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to barnyard2-use...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[tacti...@gmail.com]

Yes so I need a -d flag?

that is in my config file the spool directory which /var/log/snort

# cat > /etc/snort/barnyard2.conf << EOF

config reference_file:      /etc/snort/reference.config

config classification_file: /etc/snort/classification.config

config gen_file:            /etc/snort/gen-msg.map

config sid_file:            /etc/snort/community-sid-msg.map

config logdir: /var/log/snort

spool dir: /var/log/snort

spool file: merged.log

config hostname: fffSnort

config interface:  eth1

config daemon

config waldo_file: /var/log/snort/barnyard2.waldo

input unified2

  output database: log, mysql, user=xxx password=xxx dbname=snortdb host=localhost

[tacti...@gmail.com]

I tried the d flag but still get 

Error: unable to open directory ' ' (no such file or directory)
Error: unable to find the next spool file!

On Wednesday, October 2, 2013 12:45:47 PM UTC-4, tacti...@gmail.com wrote:

[tacti...@gmail.com]

I have set permissions back to snort by made everybody 777 with -R flag. I have also got barnyard2 to put a waldo file in the /var/log/snort It still will not read in Continous and gives same error even using the -d and -f.

On Wednesday, October 2, 2013 12:45:47 PM UTC-4, tacti...@gmail.com wrote:

[beenph]

Whats your command line?

Because your initial command line was errornous, in my reply i told
you what to fix, but mabey you didin't fix it.

ex: -f merged.log <GOOD>
-f /var/log/snort/merged.log.* <BAD>
-f /var/log/snort/merged.log <BAD>

[D M]

ok i have changed the -f to merged.log.*

command line is the same minus the -f is now merged.log.* and -d is /var/log/snort.

I really do appreciate the help. Its been a long and rough introduction to linux and snort

You received this message because you are subscribed to a topic in the Google Groups "barnyard2-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/barnyard2-users/lozcqdsyBnE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to barnyard2-use...@googlegroups.com.

[beenph]

Not merged.log.* just merged.log

the timestamp suffix will be handled by barnyard2 it self.

Like this "-f merged.log" (without quotes)

-elz

[D M]

ok thanks I will be able to try that tomorrow. i will let you know if that works thank you very much

[tacti...@gmail.com]

current command line is  /root/barnyard2-install/bin/barnyard2 -c /etc/snort/barnyard2Alt.conf -d /var/log/snort -f merged.log -w /var/log/snort/barnyard2.waldo

I get the same error as before however it does read the waldo now. Is there anything else that might cause this error?

On Wednesday, October 2, 2013 12:45:47 PM UTC-4, tacti...@gmail.com wrote:

[beenph]

On Wed, Oct 9, 2013 at 8:25 AM, <tacti...@gmail.com> wrote:
> current command line is /root/barnyard2-install/bin/barnyard2 -c
> /etc/snort/barnyard2Alt.conf -d /var/log/snort -f merged.log -w
> /var/log/snort/barnyard2.waldo
>
> I get the same error as before however it does read the waldo now. Is there
> anything else that might cause this error?
>
>

Which error.

[tacti...@gmail.com]

in syslog

Error: unable to open directory ' ' (no such file or directory)
Error: unable to find the next spool file!

On Wednesday, October 2, 2013 12:45:47 PM UTC-4, tacti...@gmail.com wrote:

[beenph]

On Wed, Oct 9, 2013 at 9:54 AM, <tacti...@gmail.com> wrote:
> in syslog
>
>
Copy paste the error you are refering to.

[tacti...@gmail.com]

Oct  9 08:19:06 VMLSnort barnyard2: Barnyard2 spooler: Event cache size set to [2048]

Oct  9 08:19:06 VMLSnort barnyard2: Log directory = /var/log/snort

Oct  9 08:19:06 VMLSnort barnyard2: INFO database: Defaulting Reconnect/Transaction Error limit to 10

Oct  9 08:19:06 VMLSnort barnyard2: INFO database: Defaulting Reconnect sleep time to 5 second

Oct  9 08:19:06 VMLSnort barnyard2: Initializing daemon mode

Oct  9 08:19:06 VMLSnort barnyard2: Daemon parent exiting

Oct  9 08:19:06 VMLSnort barnyard2: Daemon initialized, signaled parent pid: 2448

Oct  9 08:19:06 VMLSnort barnyard2: PID path stat checked out ok, PID path set to /var/run/

Oct  9 08:19:06 VMLSnort barnyard2: Writing PID "2449" to file "/var/run//barnyard2_eth1.pid"

Oct  9 08:19:06 VMLSnort barnyard2: [SignatureReferencePullDataStore()]: No Reference found in database ...

Oct  9 08:19:06 VMLSnort barnyard2: database: compiled support for (mysql)

Oct  9 08:19:06 VMLSnort barnyard2: database: configured to use mysql

Oct  9 08:19:06 VMLSnort barnyard2: database: schema version = 107

Oct  9 08:19:06 VMLSnort barnyard2: database:           host = localhost

Oct  9 08:19:06 VMLSnort barnyard2: database:           user = xxx

Oct  9 08:19:06 VMLSnort barnyard2: database:  database name = xxxx

Oct  9 08:19:06 VMLSnort barnyard2: database:    sensor name = xxxx:eth1

Oct  9 08:19:06 VMLSnort barnyard2: database:      sensor id = 1

Oct  9 08:19:06 VMLSnort barnyard2: database:     sensor cid = 849

Oct  9 08:19:06 VMLSnort barnyard2: database:  data encoding = hex

Oct  9 08:19:06 VMLSnort barnyard2: database:   detail level = full

Oct  9 08:19:06 VMLSnort barnyard2: database:     ignore_bpf = no

Oct  9 08:19:06 VMLSnort barnyard2: database: using the "log" facility

Oct  9 08:19:06 VMLSnort barnyard2:

Oct  9 08:19:06 VMLSnort barnyard2:         --== Initialization Complete ==--

Oct  9 08:19:06 VMLSnort barnyard2: Barnyard2 initialization completed successfully (pid=2449)

Oct  9 08:19:06 VMLSnort barnyard2: Using waldo file '/var/log/snort/barnyard2.waldo':#012    spool directory = #012    spool filebase  = #012    time_stamp      = 0#012    record_idx      = 2

Oct  9 08:19:06 VMLSnort barnyard2: ERROR: Unable to open directory '' (No such file or directory)

Oct  9 08:19:06 VMLSnort barnyard2: ERROR: Unable to find the next spool file!

Oct  9 08:19:06 VMLSnort barnyard2: ===============================================================================

Oct  9 08:19:06 VMLSnort barnyard2: Record Totals:

Oct  9 08:19:06 VMLSnort barnyard2:    Records:           0

Oct  9 08:19:06 VMLSnort barnyard2:    Events:           0 (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    Packets:           0 (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    Unknown:           0 (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    Suppressed:           0 (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2: ===============================================================================

Oct  9 08:19:06 VMLSnort barnyard2: Packet breakdown by protocol (includes rebuilt packets):

Oct  9 08:19:06 VMLSnort barnyard2:       ETH: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   ETHdisc: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:      VLAN: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:      IPV6: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   IP6 EXT: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   IP6opts: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   IP6disc: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:       IP4: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   IP4disc: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     TCP 6: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     UDP 6: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     ICMP6: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   ICMP-IP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:       TCP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:       UDP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:      ICMP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   TCPdisc: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   UDPdisc: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   ICMPdis: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:      FRAG: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    FRAG 6: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:       ARP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     EAPOL: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   ETHLOOP: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:       IPX: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     OTHER: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:   DISCARD: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2: InvChkSum: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    S5 G 1: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:    S5 G 2: 0          (0.000%)

Oct  9 08:19:06 VMLSnort barnyard2:     Total: 0

Oct  9 08:19:06 VMLSnort barnyard2:

[beenph]

On Wed, Oct 9, 2013 at 10:20 AM, <tacti...@gmail.com> wrote:
>
Delete your waldo file and restart your process.
Seem's like your waldo file is corrupted.

-elz

[tacti...@gmail.com]

well it read the two files so the waldo file created by batch was wrong ok well thank you Im now reading files 

Do I need to do anything to indicate this is solved?

Again thank you

[beenph]

On Wed, Oct 9, 2013 at 10:39 AM, <tacti...@gmail.com> wrote:
> well it read the two files so the waldo file created by batch was wrong ok
> well thank you Im now reading files
>

Waldo information will superseed information provided in comand line
for conitnuous mode processing,
and from the log you posted thats what it seem to happen if you review
it you should be able to pin point
where it happens.

> Do I need to do anything to indicate this is solved?
>

Well if it works now as i seem to understand from your e-mail i guess
not but if you have questions
or issue do not hesitate to spawn a new thread on the mailing list.

> Again thank you
np, glad it worked.

-elz