Snort mailing list archives
Sanity check for high volume logging
From: "Zarathustra Ubermensch" <zubermensch () hotmail com>
Date: Mon, 07 Jan 2002 16:34:41 -0500
Hello, Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23I'm currently monitoring some pretty high traffic levels and am logging them to mysql with the following command lines in my snort.conf
output database: log, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost
output database: alert, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost
Performance is lacking, so I'd like to switch to binary logging by using something like "output log_tcpdump: sensor.company.com-tcpdump.log"
My questions:1. Will this capture both "log" and "alert" information similar to the way in which my current mysql config works? ie Will I get the same data regardless of the logging mechanism (tcpdump or mysql)?
2. I'd still like to aggregate this data to a much beefier database server for long term trend analysis. Can I use a different snort.conf file that uses "output database" configs and simply replay the tcpdump logs against that snort.conf to populate the database?
I'm pretty sure I already know the answers, but I thought I'd ask JIC there's a better way to do this. Thanks for any help that you can give.
_________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Sanity check for high volume logging Zarathustra Ubermensch (Jan 07)
- Re: Sanity check for high volume logging Martin Roesch (Jan 08)