On Fri, 28 Dec 2007, Javier Fernández-Sanguino Peña wrote:
The first entry on your snort.log is rather enlightening:
Dec 17 23:28:51 sheep snort[32392]: database: mysql_error: MySQL server has
gone away
Yes, when filing the report I completely forgot to mention these messages.
And yes, I've come across http://dev.mysql.com/doc/refman/5.0/en/gone-away.html
too, but I thought that snort loses the connection because of mysql
restarting in the morning because of logrotate - but this shouldn't be the
case, as only "flush-logs" is executed.
Notice that you can change the server's wait-timeout variable on mysqld to
make connections last longer.
Of course, this should be handled upstream, but: couldn't snort just
reconnect to mysql? (cf. a totally different application with similiar
symptoms: http://trac.lighttpd.net/trac/ticket/518)
Thanks.
--
BOFH excuse #255:
Standing room only on the bus.
