Argus Mysql - rasqlinsert suser duser

Carter Bullard carter at qosient.com
Sat Sep 12 10:17:02 EDT 2009 

Hey CS Lee,
So, there is a set of mysql logs that may have the error in it.
I suspect that the error comes from some text pattern in the user
data buffer itself, like a comma or a quote in the buffer.
I'll have to look at the "escaping" code to see that it covers the
user data (I've never inserted the user data buffers into the database).

OK, so a few things to consider.   By inserting the records itself,
which is the default schema behavior,  you have a binary form of
every field available in the database, but MySQL supports a limited
set of operations on binary blob data.

By "exposing" fields in the MySQL schema, you can have MySQL
operate on it, like sorting, selecting based ranges, patterns etc, but
you don't really want to "expose"  all the fields.  The message here
is to expose only the fields that you want MySQL to do operations on.

And you let ra* programs do the operations on the other fields.

Carter

On Sep 11, 2009, at 10:11 PM, CS Lee wrote:

> hi Carter,
>
> rasqlinsert is running smooth now, and I'm happy with it, I'm  
> testing adding user data to the db, but I hit this error, here's the  
> command I use
>
> rasqlinsert -n -S localhost -w mysql://root@localhost/argusdb/argusRT_%Y_%m_%d 
>  -M cache -m srcid proto saddr sport daddr dport -s stime srcid flgs  
> proto saddr sport dir daddr dport spkts dpkts sbytes dbytes pkts  
> bytes state suser duser - ip
>
> This error shows up
>
> ArgusInfo: 10:03:17.116854 mysql_real_query error You have an error  
> in your SQL syntax; check the manual that corresponds to your MySQL  
> server
>
> Here's the database schema that automatically created when I run  
> rasqlinsert -
>
> echo 'desc argusRT_2009_09_12' | mysql -u root argusdb
> Field    Type    Null    Key    Default    Extra
> stime    double(18,6) unsigned    NO        NULL
> srcid    varchar(64)    YES        NULL
> flgs    varchar(32)    YES        NULL
> proto    varchar(16)    NO        NULL
> saddr    varchar(64)    NO        NULL
> sport    varchar(10)    NO        NULL
> dir    varchar(3)    YES        NULL
> daddr    varchar(64)    NO        NULL
> dport    varchar(10)    NO        NULL
> spkts    bigint(20)    YES        NULL
> dpkts    bigint(20)    YES        NULL
> sbytes    bigint(20)    YES        NULL
> dbytes    bigint(20)    YES        NULL
> pkts    bigint(20)    YES        NULL
> bytes    bigint(20)    YES        NULL
> state    varchar(32)    YES        NULL
> suser    varbinary(2048)    YES        NULL
> duser    varbinary(2048)    YES        NULL
> record    blob    YES        NULL
>
>
> If I don't add suser and duser, everything is running great.
>
> Thanks!
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090912/42115add/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090912/42115add/attachment.bin>

More information about the argus mailing list