rasqlinsert -s -record doesn't seem to work

Paul Schmehl pschmehl_lists at tx.rr.com
Tue Oct 23 17:53:44 EDT 2012


--On October 22, 2012 3:41:20 PM -0400 Carter Bullard <carter at qosient.com> 
wrote:

> Hey Paul,
> OK, so I've tested your situation on 5 different platforms and cannot
> replicate your report.
> Also, my rasqlinsert() won't run with your options, so I'm not sure what
> is going on.
>
>
> I'm using either argus-clients-3.0.6.x or argus-clients-3.0.7.2.
> /tmp/rarc contains:
> % cat /tmp/rarc
>
> RA_FIELD_SPECIFIER="seq stime saddr daddr sport dport sbytes dbytes
> state:16 proto"
>
>
>
> When I run rasqlinsert() with your rarc fields, I get this error message:
>
>
>
> % ../../bin/rasqlinsert -Zb -F /tmp/rarc -s -record -r
> /tmp/argus.2012.10.20.14.25.00 -w
> mysql://root@localhost/ratest/testDb_%Y_%m_%d -M time 1d
> Oct 22 15:12:45 thoth.newyork.qosient.com rasqlinsert[5367] <Error>:
> 2012/10/22.15:12:45.928595 key field 'srcid' not in schema (-s option)
>
>
> This is correct, and is what I would expect.
>
>
> In order to remove the dependency on "srcid" as a KEY field, I ran with
> the "-m none" option.
> Now, when running rasqlinsert(), it runs fine without any errors of any
> kind:
>
>
>
> thoth:ramysql carter$ ../../bin/rasqlinsert -m none -F /tmp/rarc -r
> /tmp/argus.2012.10.20.14.25.00 -w
> mysql://root@localhost/ratest/testDb_%Y_%m_%d -M time 1d -s -record
> thoth:ramysql carter$

I just ran this and got errors and core dumps:

# rasqlinsert -Z b -M cache -m none -r 
/path/to/argus/files/2012-10-15/argus.log.2012-10-15.16:00:00.bz2 -w 
mysql://user:pass@buttercup4.utdallas.edu/dbname/tblname_%Y_%m_%d -M time 1d
rasqlinsert[39513]: 23 Oct 12 21:40:59.481556 mysql_real_query error You 
have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'TY
PE=MyISAM' at line 1
[1]+  Killed: 9               rasqlinsert -Z b -F rasqlinsert.conf -M cache 
-R /path/to/argus/files/2012-10-09 -w 
mysql://user:pass@buttercup4.utdallas.edu/dbname/tblname
Bus error: 10 (core dumped)
[root at buttercup5 ~]# rasqlinsert -Z b -M cache -m none -r 
/path/to/argus/files/2012-10-15/argus.log.2012-10-15.16:00:00.bz2 -w 
mysql://user:pass@buttercup4.utdallas.edu/dbname/tblname_%Y_%m_%d -M time 
1d -D
 6
rasqlinsert[39515]: 23 Oct 12 21:41:14.264349 mysql_real_query error You 
have an error in your SQL syntax; check the manual that corresponds to your 
MySQL server version for the right syntax to use near 'TY
PE=MyISAM' at line 1
Bus error: 10 (core dumped)

Maybe something has changed between mysql 5.1 and 5.5?  ISTR dealing with 
this in one of my ports.  I think the syntax is ENGINE=MyISAM; not 
TYPE=MyISAM.  I think it changed recently.

No, I haven't altered any of your code.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell




More information about the argus mailing list