Database Move Causing Problems

142 views
Skip to first unread message

Chris Henderson

unread,
May 30, 2012, 12:52:00 PM5/30/12
to securit...@googlegroups.com
Hey All,

I was hoping someone would be able to help me figure out an issue I am having on a new install of SO.

The machine I have SO installed on has a very small hard drive (20GB). I do however, have a SAN with plenty of space. So I have created ISCSI mounts for both the /nsm directories and mysql.

I sym linked /nsm to /mnt/nsm and then moved /var/lib/mysql to /mnt/mysql and changed /etc/mysql/my.cnf to point to the new path. I did the same for /etc/apparmor.d/usr.sbin.mysqld.

After making those changes and making sure msyql started up I ran the SO setup. Unfortunately there are a bunch of problems.

1. The snorby web interface is accessible, but the sensor does not show up, so of course no events are displayed.
2. SQueRT doesn't seem to be running "connection failed".
3. Cannot connect to Squil either, "unable to connect to x.x.x.x on port 7734. netstat confirms it is not listening.

Here is a look at the databases in mysql:

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| msf3 |
| mysql |
| snorby |
+--------------------+
4 rows in set (0.01 sec)

Here is the first part of the sostat command:
=========================================================================
Service Status
=========================================================================
Status: secon01-eth1
* pcap_agent (sguil)[ OK ]
* sancp_agent (sguil)[ OK ]
* snort_agent (sguil)[ OK ]
* pads_agent (sguil)[ OK ]
* snort (alert data)[ OK ]
* barnyard2 (spooler, unified2 format)[ OK ]
* sancp (session data)[ OK ]
* pads (asset info)[ OK ]
* daemonlogger (full packet data)[ OK ]
* argus[ OK ]
* http_agent (sguil)[ OK ]
Status: HIDS
* ossec_agent (sguil)[ OK ]
Status: Bro
Name Type Host Status Pid Peers Started
bro standalone localhost running 5260 0 30 May 16:37:00

Thoughts?

Chris

Doug Burks

unread,
May 30, 2012, 4:25:24 PM5/30/12
to securit...@googlegroups.com
Hi Chris,

I haven't tried what you're attempting so I can't guarantee it will
work. If you have moved things such that you had to change the path
in /etc/mysql/my.cnf, then that is definitely a problem as several
scripts have hardcoded paths in them for /nsm and /var/lib/mysql/.
You should mount your ISCSI paths such that the original paths can be
retained.

Hope that helps!

Thanks,
Doug
--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012
Reply all
Reply to author
Forward
0 new messages