Barnyard2 and MariaDB
-
make package
command works. I can install that package locally without problem. It loads the binary correctly:[Ricky@freebsd ~/repo/github/pfsense/FreeBSD-ports/security/barnyard2]$ ldd /usr/local/bin/barnyard2 /usr/local/bin/barnyard2: libmysqlclient.so.20 => /usr/local/lib/mysql/libmysqlclient.so.20 (0x800a00000) libz.so.6 => /lib/libz.so.6 (0x800fb9000) libpcap.so.8 => /lib/libpcap.so.8 (0x8011d1000) libm.so.5 => /lib/libm.so.5 (0x80142d000) libc.so.7 => /lib/libc.so.7 (0x80165a000) libssl.so.8 => /usr/lib/libssl.so.8 (0x801a16000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x801e00000) librt.so.1 => /usr/lib/librt.so.1 (0x80226f000) libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x802475000) libc++.so.1 => /usr/lib/libc++.so.1 (0x802678000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x802946000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x802b65000) libthr.so.3 => /lib/libthr.so.3 (0x802d74000) libelf.so.2 => /lib/libelf.so.2 (0x802f9c000)
But I struggled with ARM cross compile. The wiki I quote suggest use the build flag like
TARGET=arm TARGET_ARCH=armv6
. But it doesn't work. It still shows amd64 binary.[Ricky@freebsd ~/repo/github/pfsense/FreeBSD-ports/security/barnyard2]$ make -j8 package TARGET=arm TARGET_ARCH=armv6 [Ricky@freebsd ~/repo/github/pfsense/FreeBSD-ports/security/barnyard2]$ file work/stage/usr/local/bin/barnyard2 work/stage/usr/local/bin/barnyard2: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, for FreeBSD 11.2, FreeBSD-style, stripped
Thanks for your time. I will ask the folks how to cross compile in FreeBSD embedded section.
-
@rickyzhang :
You have to installqemu-user-static
. That's what I've really been talking about the whole time I've mentioned qemu. I was shortening what I typed. I thought you understood already that's how you cross-compile ARM code on AMD64 hardware. That's what the pfSense builder environment does for you, and that is why I use it. It only quit working rather recently (as in the 1st quarter of this year) due to changes in some of the dependent packages such as Go. What happened is that some of the latest ports updates on FreeBSD no longer build properly when cross-compiled usingqemu-user-static
.If you want to build only a single package, you can alter the
make.conf
andpoudriere.bulk
files in the pfSense tree to accomplish that. There are also some port options specified for Barnyard2 that are needed. -
There are two different things: emulation and cross compile.
The emulation means emulating ARM instruction set under AMD64. That means you need ARM version FreeBSD OS and toolchain. That's why I struggled to run the pre-built RPI2 SD card image provided by FreeBSD in QEMU.
Cross compile means your OS and toolchain still run as AMD64 native. It is the compiler (written in native AMD64 instruction) that generates the code which can run in ARM instruction set target platform (Think of this process as you speak foreign language without being in foreign country)
I don't know the technical details
qemu-user-static
. But it sounds like it is an emulation rather than cross compile. Can you find a doc on this thingy?I thought passed in the flag
TARGET=arm TARGET_ARCH=armv6
will force to use cross compiler toolchain. -
The
qemu-user-static
package is the easiest way to cross-compile by using emulation. So I am really talking about both things (cross-compile and emulation). Here is a link: https://forums.freebsd.org/threads/building-arm-packages-with-poudriere-the-simple-way.52994/. And here is another link discussing a similar setup: https://www.dvatp.com/tech/armv6_freebsd_poudriere.The steps outlined in those links are basically what the pfSense package builder scripts are doing for you if you follow my earlier instructions to set that up.
-
If you cross compile, you don't need emulation.
I'm not familiar with FreeBSD jail or poudriere. But it sounds like Linux docker container where it use the same kernel but different cgroup and an independent rootfs to isolate the build env. In any case, docker container always run as native binary. I bet FreeBSD should do the same. Correct me if I'm wrong.
I already started the process like below to build my cross compiler tool chain: http://ray-freebsd.blogspot.com/2011/09/cross-compiling-ports-for-freebsd.html
I will try your poudriere if there is too much trouble.
Thanks in advance.
-
@rickyzhang :
My understanding is that you need the emulation because some of the required tools are not available in AMD64 form or something like that. I've never investigated the "why" in much detail. I'm telling you the process that was given to me by the pfSense developer team a couple of years ago and that is incorporated into their build process. If you don't want to follow that advice, then OK. You can try the cross-compilation route. I will tell you that the pfSense team uses the method I described (well, that is until the last round of FreeBSD ports updates where some ports (Go being one of them) quit building properly using the emulation/cross-compiling tool chain.I understand the difference between emulation and cross-compiling, but I was not sure of your level of expertise so I was not specific about the details. Since you are not familiar with Poudriere, it sounds like your FreeBSD experience may be limited. In many ways the compilation and linking tools for FreeBSD lag behind those available for Linux (and some of the defaults are different, for example using llvm instead of gcc).
-
I may know why. I'm sure Golang is the one to be blamed. Because the latest version of Golang build needs to use lower version of Golang to bootstrap its build process. Imagine how that will work in cross compiling process. You cross compile a bootstrap Golang but only runs in ARM. You can't use that bootstrap version Golang in your AMD64 platform to build the latest version of Golang.
I admit I have limited FreeBSD experience. There are tons of doc to read and catch it up. But I really appreciate your help and advice from FreeBSD community.
No offense. I felt the same way as you did: FreeBSD did lag behind Linux in terms of tooling. But FreeBSD did have advantage to run as network equipment because Linux change so rapidly. You have no idea how many bugs are introduced because of those "new features".
I got stuck now because I don't know:
- How to get clang build tools. The svn repo doesn't include clang
svn checkout https://svn.freebsd.org/base/releng/`uname -r | cut -d'-' -f1,1` /usr/src
- How to have a clean slate so that I can clean up all configuration setting and artifacts from the AMD64 build of dependencies ports (a lot of them).
- How to get clang build tools. The svn repo doesn't include clang
-
I was wrong about source code doesn't include clang. It is in
usr.bin
source code folder.But I'm right about poudriere regarding to its emulation nature. I built a poudriere jail as you instructed:
sudo poudriere jails -c -j pfsense-port-11-2-armv6 -a arm.armv6 -m svn -v release/11.2.0
I found that the compiler cc in the armv6 architecture is actually ARM binary. That means when we build anything inside the jail, we compile in ARM emulation in AMD64 platform. It is not going to be fast compared to cross compile.
Ricky@freebsd ~ $ file /usr/local/poudriere/jails/pfsense-port-11-2-armv6/usr/bin/cc /usr/local/poudriere/jails/pfsense-port-11-2-armv6/usr/bin/cc: ELF 32-bit LSB executable, ARM, EABI5 version 1 (FreeBSD), statically linked, for FreeBSD 11.2, FreeBSD-style, stripped
-
Yes, the building of the ARM packages is much slower in the pfSense builder than the AMD64 packages. You can selectively build for each architecture independently using arguments for the
build.sh
script provided in the pfSense builder tools. I have been building only AMD64 versions of my Snort and Suricata packages because of the problems with Golang that you mentioned. The Golang issue prevents the ARM build process from completing successfully.However, if you turn off all of the ARM packages except for just the ones required for Barnyard2 the ARM build might suceed. I have not tried. You can turn packages "on" and "off" by manipulating the Poudriere "bulk" files. If using the pfSense build tree, those will be in pfsense/tools/conf. The
make.conf
file in that same path controls the various option knobs for each port. That's where you selectively enable or disable particular build options. -
I'm still studying how to use poudriere. As I have tried the build process in AMD64, it is fairly easy to run
make
command in pfsense port tree to build Barnyard2 package. It also works correctly.I wrote my notes here. You can see that I listed two approaches to build ARM ports. In the 1st approach a.k.a cross compile approach, I succeeded in building cross compile tool chain for armv6 (This mean you can run the build process in native AMD64 way. It is much faster than emulation). But I haven't figured it out how to override default cc and link command by my cross compile tool chain. FreeBSD port Makefile does not work like Linux way. Please let me know if you know the answer.
Regarding to poudriere emulation approach, I'm thinking:
- Create a poudriere port from a local cloned pfsense port directory.
- Choose Baryard2 package from a package list file.
- Run poudriere bulk
I read the build.sh script from pfsense. It is a lot of bash reading to figure out how it works. Gosh... pfsense make it hard for us to build it.
-
@rickyzhang said in Barnyard2 and MariaDB:
I'm still studying how to use poudriere. As I have tried the build process in AMD64, it is fairly easy to run
make
command in pfsense port tree to build Barnyard2 package. It also works correctly.I wrote my notes here. You can see that I listed two approaches to build ARM ports. In the 1st approach a.k.a cross compile approach, I succeeded in building cross compile tool chain for armv6 (This mean you can run the build process in native AMD64 way. It is much faster than emulation). But I haven't figured it out how to override default cc and link command by my cross compile tool chain. FreeBSD port Makefile does not work like Linux way. Please let me know if you know the answer.
Regarding to poudriere emulation approach, I'm thinking:
- Create a poudriere port from a local cloned pfsense port directory.
- Choose Baryard2 package from a package list file.
- Run poudriere bulk
I read the build.sh script from pfsense. It is a lot of bash reading to figure out how it works. Gosh... pfsense make it hard for us to build it.
Just running
make
from inside the pfSense ports tree is not the same as running theirbuild.sh
script with the proper arguments. The build process uses Poudriere with a proper Poudriere Jail that has the correct port revisions within it needed to make things work on pfSense itself. Running the build within the jail is a key part of the process, especially if you want a final package file that you can install usingpkg
on the firewall with all the correct dependencies listed.pfSense builds their packages using the method I described to you. They do not use your cross-compile method because it has issues on FreeBSD as you are experiencing.
-
First of all, I think we should never call using poudriere jail to compile ARM in AMD64 platform is cross compile. It is emulation. Basically, it use qemu-arm-static to run ARM binary tool chain like cc in emulation mode. The performance really sucks even in my 8 cores i9-9900K CPU.
I enabled the following in
/usr/local/etc/poudriere.conf
. But after 30 minutes run, it still compiling dependencies of Barnyard2.PARALLEL_JOBS=8 ALLOW_MAKE_JOBS=yes
The fastest way should be cross compile tool chain. I remember last time I used
make
command to build Barnyard2 in amd64. It took less than 10 minutes. I'm surprised FreeBSD community or pfsense has not improved it. I'm thinking of creating amd64 jail and override tool chain with cross compile ones. But that's my next step. First thing first: patch Barnyard2....Right now, my poudriere bulk got stuck in fetching textinfo package. I believed the server must be down. I will give it a try later.
[00:29:11] [01] [00:00:15] Finished print/texinfo | texinfo-6.5,1: Failed: fetch [00:29:11] [01] [00:00:15] Skipping devel/autoconf | autoconf-2.69_1: Dependent port print/texinfo | texinfo-6.5,1 failed [00:29:11] [01] [00:00:15] Skipping devel/automake | automake-1.16.1: Dependent port print/texinfo | texinfo-6.5,1 failed [00:29:11] [01] [00:00:15] Skipping security/barnyard2 | barnyard2-1.13_1: Dependent port print/texinfo | texinfo-6.5,1 failed [00:29:11] [01] [00:00:15] Skipping devel/libtool | libtool-2.4.6: Dependent port print/texinfo | texinfo-6.5,1 failed [00:29:11] [01] [00:00:15] Skipping devel/m4 | m4-1.4.18,1: Dependent port print/texinfo | texinfo-6.5,1 failed
-
I got stuck in building Barnyard2 dependencies. I tried it again this morning. It still failed at fetching. I bet the file checksum or the size has been changed. Do you have a good suggestion?
=========================================================================== =======================<phase: fetch-depends >============================ =========================================================================== =======================<phase: fetch >============================ ===> License GPLv3+ accepted by the user => texinfo-6.5.tar.xz doesn't seem to exist in /portdistfiles/texinfo/6.5. => Attempting to fetch https://ftpmirror.gnu.org/texinfo/texinfo-6.5.tar.xz texinfo-6.5.tar.xz 0 B 0 Bps => htmlxref.cnf doesn't seem to exist in /portdistfiles/texinfo/6.5. => Attempting to fetch http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf fetch: http://distcache.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: Not Found => Attempting to fetch http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf fetch: http://distcache.us-east.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: Not Found => Attempting to fetch http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf fetch: http://distcache.eu.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: Not Found => Attempting to fetch http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf fetch: http://distcache.us-west.FreeBSD.org/local-distfiles/sunpoet/texinfo/6.5/htmlxref.cnf: Not Found => Attempting to fetch http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf fetch: http://distcache.FreeBSD.org/ports-distfiles/texinfo/6.5/htmlxref.cnf: size mismatch: expected 20137, actual 20076 => Couldn't fetch it - please try to retrieve this => port manually into /portdistfiles/texinfo/6.5 and try again. *** Error code 1 Stop. make: stopped in /usr/ports/print/texinfo =>> Cleaning up wrkdir ===> Cleaning for texinfo-6.5,1 build of print/texinfo | texinfo-6.5,1 ended at Tue Aug 6 08:14:30 UTC 2019 build time: 00:00:13 !!! build failure encountered !!!
Do you have a detail step to use pfsense build process to compile to ARM target platform from AMD64 platform?
I'm slow. I have to have some detailed step in the notes like this.
I grep pfsense repo and see how they use poudriere. It doesn't seem like they use my 2nd approach in my notes where you create emulation ARM jail in poudriere. I don't know if they build in a beefy ARM board or they use cross compiler in AMD64 with ARM target.
I saw your name in pfsense's commit. I beg you are quite active from community to send PR. You are the right person I should talk to.
Thanks!
-
For some reason your builder is having problems downloading the source code for that port. You might want to try the download manually from other Internet locations. If the required tarball is in /usr/ports/distfiles, then the
make
process won't attempt to download it.I am the maintainer for the Snort and Suricata packages on pfSense, so yeah, I have a number of commits to the FreeBSD-ports tree in pfSense. That's also why I use their builder script when compiling my packages for testing before submitting them to the upstream master tree.
Using the builder environment for packages is not that difficult. Here are the basic steps. I'm assuming you want to build your package for pfSense-2.4.4, so my instructions are based on that. However, I don't target that environment. I build for the DEVEL branch, so I'm not 100% sure that everything I have outlined below works on the RELENG_2_4_4 branch.
- Begin by installing
qemu-user-static
on your FreeBSD machine with this command:
pkg install qemu-user-static
- Make sure you have cloned both the FreeBSD-ports and pfsense repos onto your FreeBSD machine.
- Change into the FreeBSD-ports directory and execute this command to switch to the pfSense-2.4.4 branch.
git checkout RELENG_2_4_4
- Then go back up one directory level and change down into the pfsense directory.
- To see all the options for the
build.sh
script, execute it with no arguments like this:
./build.sh
- Execute this command to set up an intial builder environment:
./build.sh --setup
- After that completes, execute the command to pull down the latest FreeBSD source code in preparation for building a poudriere jail. Note that you will need to edit the file
/pfsense/tools/builder_common.sh
and comment out two sections in that file having to do with pulling down the source tree for the Netgate ID stuff (gnid) as that is proprietary source and source code update will fail when it can't pull down that code. Use an editor and search for the phrase "gnid" in the script file. You will find it used in two "if" blocks in the script. Comment out both "if" blocks entirely and then save the file. After editing and saving the file, execute this command:
./build.sh --update-sources
- When that finishes, it's time to actually create the Poudriere ports tree and the jails for building using this command (note, this will take at least an hour and probably nearly twice that long to complete depending on your hardware):
./build.sh --setup-poudriere
- To actually start a package build process after the ports tree and pourdriere jails are ready, execute this command:
./build.sh --update-pkg-repo
- There are some additional command line options for the previous command. You can use
-a [arch]
to control which CPU architectures to target. The default is to build both AMD64 and ARM packages. If you want to build say just AMD64 packages, the argument would be-a amd64.amd64
. For just ARM packages, the argument would be-a arm.armv7
.
The completed packages will be stored in sub-directories under /usr/local/poudriere/data/packages on your FreeBSD machine.
Because of the issues with some packages under
qemu-user-static
, you will want to edit the filepfsense/tools/conf/pfPorts/poudriere.bulk.exclude.arm.armv7
to remove all of the ports that depend on the problematic packages such as Golang. You can open and examine the file to see the required syntax. This may become a trial and error process to get everything excluded.The above process will work, but it might take a few iterations and some trial and error to get it all going. There is no official documentation, but if you wade through the
builder_common.sh
script you can figure out how things work by looking at the code.Also note that the setup process only has to be performed once. Thereafter, you can simply execute
./build.sh --update-pkg-repo
to build a new version of a package. To make poudriere start a new build of a modified package, you will have to either bump the port version string or go to the /usr/local/poudriere/data/packages tree and remove the package file that you want to rebuild. Either of these two methods will alert poudriere that a build of that package is required.
- Begin by installing
-
I really appreciate your help! I will give a try tonight.
Please let me know if you are OK with me to copy your steps to my wiki.
I found the culprit why I got stuck. The file size of texinfo/6.5/htmlxref.cnf specified by
print/texinfo/distinfo
doesn't match what it downloads from Internet../distinfo:5:SIZE (texinfo/6.5/htmlxref.cnf) = 20137
I check out my FreeBSD-ports repo on
tag: v2.4.4_3
which match the release of my pfsense router current firmware. But it looks like the build can't replicate due to the dependency of hell.I will switch to devel branch. I found that it change the file size.
-
@rickyzhang said in Barnyard2 and MariaDB:
v2.4.4_3
I haven't tried your build.sh approach. But I succeeded in building Barnyard2 in poudriere ARM jail. I applied the make.conf from pfsense. So I don't need to answer the build options during the build.
The whole build process took about 2hrs! But I went into dependency hell. I manually substitute original barnyard2 binary in
/usr/local/bin
with my new one. The new one needslibmysqlclient.so.20
, while the original one needslibmysqlclient.so.18
.Although I have new mysqlclient package, I don't think it is a good idea to replace it.
[2.4.4-RELEASE][admin@pfSense.localdomain]/root/Download/mysql57: ldd /usr/local/bin/barnyard2.orig /usr/local/bin/barnyard2.orig: libmysqlclient.so.18 => /usr/local/lib/mysql/libmysqlclient.so.18 (0x20100000) libz.so.6 => /lib/libz.so.6 (0x20087000) libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x200a6000) libm.so.5 => /lib/libm.so.5 (0x20425000) libbroccoli.so.5 => /usr/local/lib/libbroccoli.so.5 (0x2044a000) libc.so.7 => /lib/libc.so.7 (0x20500000) libssl.so.8 => /usr/lib/libssl.so.8 (0x2046f000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x20700000) libexecinfo.so.1 => /usr/lib/libexecinfo.so.1 (0x200f5000) libc++.so.1 => /usr/lib/libc++.so.1 (0x2089e000) libcxxrt.so.1 => /lib/libcxxrt.so.1 (0x204d1000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x20666000) libthr.so.3 => /lib/libthr.so.3 (0x20675000) libelf.so.2 => /lib/libelf.so.2 (0x206a2000) [2.4.4-RELEASE][admin@pfSense.localdomain]/root/Download: ldd arm-pkg/barnyard2 arm-pkg/barnyard2: libmysqlclient.so.20 => not found (0) libz.so.6 => /lib/libz.so.6 (0x20089000) libpcap.so.1 => /usr/local/lib/libpcap.so.1 (0x200a8000) libm.so.5 => /lib/libm.so.5 (0x200f7000) libbroccoli.so.5 => /usr/local/lib/libbroccoli.so.5 (0x2011c000) libc.so.7 => /lib/libc.so.7 (0x20200000) libssl.so.8 => /usr/lib/libssl.so.8 (0x20141000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x20400000)
The root of the problem is that my port tree is forked from devel branch which is different from v2.4.4.4_3.
But obviously I have to manually fix Barnyard2 dependency distinfo file. The whole build in pfsense is not repeatable. Because its dependencies come from Internet. That doesn't seem to be a good sign.
-
I keep telling you what to do and you keep ignoring my advice... . Build it within the pfSense builder environment using the
build.sh
script and the various arguments I gave you in the previous post farther up above.Yes, DEVEL in pfSense is based on FreeBSD 12.0 which has a slightly different version of various libraries. pfSense-2.4.4_3 is based on FreeBSD 11.2.
You can probably switch to the RELENG_2_4_4 branch within the pfSense builder environment and build Barnyard2 from there. That is the current RELEASE branch. The initial build of any package is going to take a while because all of the dependencies have to built first. Subsequent builds of just the Barnyard2 module will be much faster.
-
I know I looks like an idiot. When in Rome, do as the Romans do. I will definitely follow your advice later.
Before you give me your detailed instruction for pfsense, I can't find any documents from pfsense so I have to figure this out by myself. It is kind of painful.
As a lazy developer, I look for an easy and quick way to build thing for pfSense.
Because I'm more familiar with
make
command andautoconf
way. So I tried this approach first and then hit the wall when do cross compiling.Later I tried 2nd approach: use poudriere jail. I have to read poudriere user guide. I figured out it is slow ARM emulation rather than cross compile. The pfsense build.sh use poudriere jail as well. So I'm very close to what Romans do now.
I bet most Linux developer who wants to contribute to pfSense will go through the same path like me. I wish we could publish this in our forum so that people can avoid wasting time on build problem and focus on contributing.
-
I create a patch and build the port successfully targeting to ARM platform by using poudriere arm jail.
Barnyard passed the SQL syntax road block. But the daemon crashed after 2+ hours with no log message to indicate why.
I checked the tables in MariaDB. The patched Barnyard2 did populate all meta data table like detail, encoding, reference, reference_system and sensor. However, the alert logging information like event and data table are empty even there were alerts popping up during that time.
I haven't deep dived into how SNORT notifies Barnyard2 to log alert. That may be a rabbit hole to patch it further. I will call it stop.
In any case, if anyone are interested in fixing it, I shared my stuffs below:
-
Fix checksum for texinfo port and SQL syntax for Barnyard2 port in my Github repo. The commit is based on pfSense v2.4.4-p3 release.
-
My notes on how to jump start FreeBSD port development, poudriere port build and port patching.
Thanks @bmeeks for sharing your wisdom!
Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: --== Initializing Barnyard2 ==-- Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Initializing Output Plugins! Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Running in Continuous mode Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Initializing Input Plugins! Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Parsing config file "/usr/local/etc/snort/snort_55529_mvneta2/barnyard2.conf" Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: +[ Signature Suppress list ]+ ---------------------------- Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: Found pid path directive (/var/run) Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: +[No entry in Signature Suppress List]+ Aug 7 15:50:26 pfsense.localdomain barnyard2[49355]: ---------------------------- +[ Signature Suppress list ]+ Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: Barnyard2 spooler: Event cache size set to [8192] Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: Log directory = /var/log/snort/snort_mvneta255529 Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: INFO database: Defaulting Reconnect/Transaction Error limit to 10 Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: INFO database: Defaulting Reconnect sleep time to 5 second Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: Initializing daemon mode Aug 7 15:50:28 pfsense.localdomain barnyard2[50346]: Daemon initialized, signaled parent pid: 49355 Aug 7 15:50:28 pfsense.localdomain barnyard2[49355]: Daemon parent exiting Aug 7 15:50:28 pfsense.localdomain barnyard2[50346]: PID path stat checked out ok, PID path set to /var/run Aug 7 15:50:28 pfsense.localdomain barnyard2[50346]: Writing PID "50346" to file "/var/run/barnyard2_mvneta255529.pid" Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: configured to use mysql Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: compiled support for (mysql) Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: schema version = 107 Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: host = 192.168.2.30 Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: user = snort Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: database name = snort_db_wan Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: sensor name = pfSense.localdomain:mvneta2 Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: sensor cid = 2 Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: sensor id = 1 Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: data encoding = hex Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: detail level = full Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: ignore_bpf = no Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: database: using the "log" facility Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: --== Initialization Complete ==-- Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: Barnyard2 initialization completed successfully (pid=50346) Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: WARNING: Ignoring corrupt/truncated waldofile '/var/log/snort/snort_mvneta255529/barnyard2/55529_mvneta2.waldo' Aug 7 15:52:11 pfsense.localdomain barnyard2[50346]: Opened spool file '/var/log/snort/snort_mvneta255529/snort_55529_mvneta2.u2.1565207426'
-
-
Snort simply writes records to the unified2 log file for each event. Barnyard2 constantly monitors that file to see when something new comes in and then writes the alert data to the configured DB. There are some configuration options within the Barnyard2 tab of Snort to control exactly what gets written to where.
There is a command line utility included with Snort that can dump the contents of the U2 log. The utility path and filename is
/usr/local/bin/u2spewfoo
. You could use that to see what events, if any, Snort recorded to the unified2 log file that Barnyard2 is monitoring.When the Barnyard2 daemon crashed, did you look to see if anything related was in the pfSense system log? Since you are running on ARM hardware, my first suspicion would be perhaps a Signal 10 Bus Error message in the system log. If you see that, it means the Barnyard2 binary attempted to access unaligned data in memory.