| View previous topic :: View next topic |
| Author |
Message |
krisse
Guru
Joined: 15 Mar 2005
Posts: 325
Location: Sweden
|
 Posted: Thu Apr 19, 2007 7:56 am Post subject: [PRELUDE] Sensors: abnormal offline [SOLVED!] |
 |
|
Just got prelude (manager & lml), snort and prewikka up and running -- and then it just stopped. As far as I can tell, I didn't do anything, but surely I must have anyway. Hoping you could have any ideas as to what I could check!
- Something with the manager is working : I get stuff in /var/log/prelude.log Everything seems as it should be, there, as far as I can tell. Getting both log- and snort-alerts.
- They do not get reported to anywhere prewikka can see it: all sensors reported as offline. I'm thinking the problem might be with the IDMEF database?
I'm assuming prewikka gets its information from the IDMEF database?
I checked by doing a login -- which got reported into /var/log/prelude.log allright, but a mysql | Code: | | SELECT COUNT(*) FROM Prelude_Alert; |
shows that nothing gets reported. (Not sure if this is a good way to check if anything gets recorded to the IDMEF, maybe someone has a better suggestion?)
Running a generally stable system (package-wise), but all prelude-packages are x86.
There was a recent MySQL update... ( 5.0.38 ) Hmm... I do think it worked with that version initially though, but maybe this is the culprit in some way? The MySQL server is up and running, and I haven't noticed anything being wrong (with that or elsewhere in the system), apart from this thing with IDMEF(?).
Any thoughts and all ideas are appreciated! *sigh* I was getting all smug and satisfied, having finally gotten the configs right -- it worked for some days -- and then this. 
Last edited by krisse on Fri Apr 20, 2007 4:47 am; edited 1 time in total |
|
| Back to top |
|
 |
grunthus
Apprentice
Joined: 21 Apr 2005
Posts: 194
Location: Shetland UK
|
| Posted: Thu Apr 19, 2007 8:31 pm Post subject: |
|
|
Its a size limit that needs reset in mysql, if you check you MySQL logs, or manually restart prelude-manager, you might find this
Query error: The table 'Prelude_Analyzer' is full.
I quote from the solution I used, given to me by one of the developers of Prelude. (Can't find the FAQ listing now online)
| Quote: | > Hi Chris,
>
> Some MySQL distribution come with a default Mysql Innodb setting that
> limit the maximum table expansion.This settings is in the form:
>
> innodb_data_file_path = ibdata1:10M:autoextend:max:128M
>
> In order to fix it, you should change it to:
>
> innodb_data_file_path = ibdata1:10M:autoextend
>
> Regards,
Perfect, that has solved the problem, restarting mysql, prelude-manager etc,
now functions in prewikka.
Is that worth putting on the FAQ on the prelude website?
Thanks for the help
Chris |
THe mailing list is prelude-user@prelude-ids.org, worth subscribing to.
_________________
Read 'Free Software - Free Society' by RM Stallman |
|
| Back to top |
|
|
krisse
Guru
Joined: 15 Mar 2005
Posts: 325
Location: Sweden
|
| Posted: Fri Apr 20, 2007 4:46 am Post subject: |
|
|
Spot on!
Wonderful! 
Thanks a lot! (And thanks for the tip about the mailing-list!  ) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
