[Oisf-devel] Unified2 / MySQL

[Rich Rumble]

> I'm also in the middle of a "front end" coding marathon that is
> initially aimed as a GTK version of Sguil (read loose clone, written in
> Perl/GTK2) with plans for both a dedicated client and web based client
> that support real time event monitoring coupled with sensor/server
> management.

> If you're interesting in getting some dirty fingers then by all means
> contact me offline.
I'm a PHP man so I doubt I'll be of much help, in fact I've not been
able to get the unified2 logs over to mysql yet using Barnyard2. I've
configured --with-mysql, and run the following command line:
barnyard2 -c /usr/local/etc/barnyard2.conf -v -d /var/log/suricata/ -f
unified2 -w /var/log/suricata/book.mark
And I recieve the following:
WARNING: Can't extract timestamp extension from
'unified2.alert.1262466596'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262470938'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262470943'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262629276'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262468877'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262466604'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262485828'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262467097'using base 'unified2'
WARNING: Can't extract timestamp extension from
'unified2.alert.1262466952'using base 'unified2'
etc...
I don't have snort on this machine, but I've pointed the
barnyard2.conf file to copies of the .map files and uncommented the
mysql line at the bottom and tuned to the proper password and DB name.

I started suricata in daemon mode: /usr/local/bin/suricata -c
suricata.yaml -i eth0 -D
I'd love to get this going and even throw in a basic how-to afterward.
-rich