Barnyard2 not connecting to external MySQL server

[DelFireman]

I built barnyard2 compiled from the git repository on a Google Compute Engine using Ubuntu 14.04LTS . I am running a MySQL instance on Google Cloud.

My goal is to have barnyard2 act as a snort unified2 log processor for multiple sensors spread over a geographic area. SNORT is loaded, but not used.

From the compute engine, I am able to connect to the MySQL instance using the MySQL client and the same credentials assigned to BarnYard2.

I am also able to connect to the database from other data sources as can be seen below.

| Id | User | Host | db | Command | Time | State | Info |

| 460 | cyberxxxxxxxx | xx.xxx.55.90 | cyberxxx_xxxx | Sleep | 0 | | NULL | | 483 | cyberxxxxxxxx | xx.xxx.55.90 | cyberxxx_xxxx | Sleep | 0 | | NULL | | 604 | cyberxxxxxxxx | xxx.xxx.4.217 | cyberxxx_xxxx | Query | 0 | cleaning up | show processlist |

460 and 483 are from the different data source.

604 is connecting into the mysql instance from the Google Cloud Engine VM using mysql-client

Any clues would be greatly appreciated on why Barnyard2 is not able to connect to the same database? Bad build local compile?

Barnyard2 Running in Test mode

$ barnyard2 -T -c barnyard2.conf Running in Test mode ` --== Initializing Barnyard2 ==-- Initializing Input Plugins! Initializing Output Plugins! Parsing config file "barnyard2.conf" +[ Signature Suppress list ]+ ---------------------------- +[No entry in Signature Suppress List]+ ---------------------------- +[ Signature Suppress list ]+ Barnyard2 spooler: Event cache size set to [2048] INFO database: Defaulting Reconnect/Transaction Error limit to 10 INFO database: Defaulting Reconnect sleep time to 5 second database mysql_error: Access denied for user 'cyberxxxxxxxx'@'xxx.xxx.4.217' (using password: YES) Barnyard2 exiting database: Closing connection to database "cyberxxx_xxxx"

Contents of barnyard2.conf

$ cat barnyard2.conf # set the appropriate paths to the file(s) your Snort process is using. # config reference_file: /etc/snort/reference.config config classification_file: /etc/snort/classification.config config gen_file: /etc/snort/gen-msg.map config sid_file: /etc/snort/sid-msg.map ` # Configure signature suppression at the spooler level see doc/README.sig_suppress # # #config sig_suppress: 1:10 # set the directory for any output logging # config logdir: /var/cyberxxx/xxxx/eth0/log # to ensure that any plugins requiring some level of uniqueness in their output # the alert_with_interface_name, interface and hostname directives are provided. # An example of usage would be to configure them to the values of the associated # snort process whose unified files you are reading. # config hostname: cyberxxxxxxxx config interface: eth0 # config alert_with_interface_name # enable daemon mode # #config daemon # enable verbose logging # config verbose # define the full waldo filepath. # config waldo_file: /var/cyberxxx/Home/eth0/barnyard2.waldo # # CONTINUOUS MODE # # set the archive directory for use with continuous mode # config archivedir: /var/cyberxxx/xxxx/eth0 # when in operating in continous mode, only process new records and ignore any # existing unified files # #config process_new_records_only # # setup the input plugins # # this is not hard, only unified2 is supported ;) input unified2 # alert_bro # ---------------------------------------------------------------------------- # # Purpose: Send alerts to a Bro-IDS instance. # # Arguments: hostname:port # # Examples: # output alert_bro: 127.0.0.1:47757 output database: log, mysql, user=cyberxxxxxxxx password=Password dbname=cyberxxx_xxxx host=xxx.xxx.253.205 # to forward alerts also to syslog, uncomment the following 2 lines: # output alert_syslog_full: sensor_name snortIds1-eth1, local # output log_syslog_full: sensor_name snortIds1-eth1, local, log_priority LOG_CRIT`

[DelFireman]

Finally got it working.