rasqlinsert -s -record doesn't seem to work

Carter Bullard carter at qosient.com
Wed Oct 24 09:35:16 EDT 2012 

Hey Paul,
We've had this fix in rasqlinsert for quite sometime. Starting on line 8410 of rasqlinsert():

      if ((MySQLVersionMajor > 4) || ((MySQLVersionMajor == 4) &&
                                      (MySQLVersionMinor >= 1)))
         sprintf (&sbuf[strlen(sbuf)], ") ENGINE=%s", ArgusParser->MySQLDBEngine);
      else
         sprintf (&sbuf[strlen(sbuf)], ") TYPE=%s", ArgusParser->MySQLDBEngine);

Does your code not have this code ? What version of software are you using?

Carter

On Oct 23, 2012, at 11:14 PM, Paul Schmehl <pschmehl_lists at tx.rr.com> wrote:

> I patched argus tonight, and it's now creating the db and entering the records as I desired.
> 
> I'm attaching the patches.
> 
> TYPE=MyISAM was deprecated in mysql 5.0 but still supported.  Since 5.1 TYPE=MyISAM is no longer supported, and you must use ENGINE=MyISAM.
> 
> This is the command I'm using now:
> 
> rasqlinsert -Z b -M cache -m none -F rasqlinsert.conf -R /path/to/argus/files/2012-10-02/ -w mysql://user:pass@buttercup4.utdallas.edu/dbname/
> tblname_2012_10_02 -M time 1d -s -record
> 
> Here's a view of the tables:
> mysql> select * from tblname_2012_10_02 limit 10;
> +-----------+-------------------+----------------+-------+---------------+-------+------+-------+-------+-------+
> | seq       | stime             | saddr          | sport | daddr         | dport | pkts | bytes | state | proto |
> +-----------+-------------------+----------------+-------+---------------+-------+------+-------+-------+-------+
> | 105807958 | 1349121595.971430 | 10.174.37.162  | 63460 | 68.71.220.62  | 443   |    2 |   120 | A_A   | tcp   |
> | 105807959 | 1349121595.971592 | 10.21.16.47    | 53600 | 64.208.241.65 | 80    |   75 | 68566 | PA_PA | tcp   |
> | 105807960 | 1349121595.971961 | 129.110.31.40  | 39605 | 217.70.185.0  | 53    |    1 |    87 | INT   | udp   |
> | 105807961 | 1349121595.972484 | 74.125.225.134 | 80    | 10.21.1.146   | 61692 |    1 |    60 | _RA   | tcp   |
> | 105807962 | 1349121595.973084 | 10.21.16.178   | 53433 | 74.125.225.99 | 80    |    5 |  2519 | PA_PA | tcp   |
> | 105807963 | 1349121595.974383 | 10.190.104.195 | 59254 | 66.94.240.25  | 80    |    2 |   120 | A_FA  | tcp   |
> | 105807964 | 1349121595.974762 | 10.190.101.245 | 62995 | 75.102.13.140 | 80    |   89 | 48592 | A_PA  | tcp   |
> | 105807965 | 1349121595.974790 | 10.110.143.140 | 54014 | 64.4.44.48    | 1863  |    3 |   182 | PA_PA | tcp   |
> | 105807966 | 1349121595.974874 | 10.21.21.50    | 15326 | 121.9.201.100 | 17788 |    2 |   241 | INT   | udp   |
> | 105807967 | 1349121595.975586 | 10.170.40.197  | 49993 | 70.20.201.40  | 18879 |    8 |   668 | A_PA  | tcp   |
> +-----------+--------------
> 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
> <patch-include-argus__event.h><patch-ramysql-rasql.c><patch-ramysql-rasqlinsert.c><patch-ramysql-rasqltimeindex.h>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121024/3195d1f5/attachment.bin>

More information about the argus mailing list