Re: Centrally controlled log management server

[Bennett Todd <bet () rahul net>]

2003-02-18T19:23:26 Perrymon, Josh L.:
> I have 20 500mhz boxes to install snort on...

Should be Ok, as long as you aren't trying to sniff heavily-loaded
100BaseT or anything. Unless the boxes have loads of RAM (I'd
recommend at least 512MB) you may want to disable the conversation
and portscan2 preprocessors, they climb all over RAM.

> What do you guys do/ suggest for central management of logs...
> I've noticed several appliances BUT I would like good old *nix to
> handle it.

The good old *nix way to handle it is to tell snort to send its
alerts with syslog, and arrange for your syslog.conf to forward them
on to your central logserver.

This however leaves you without the most sophisticated
snort-specific tools for event analysis (like ACID); they want to
work off different formats. If you want to track the main snort
developments for enterprise IDS, look into barnyard forwarding into
MySQL.

If on the other hand you're willing to craft your own analytic
logic to grovel the logfiles (perhaps building on syslog-whacking
tools people have already written) or to purchase a commercial
logfile-groveller (the big ones I've looked at have snort support)
then there are definite advantages to the syslog forwarding
strategy. It's very lightweight and efficient, and in the event of
an overload (someone taking an IDS DoS tool to your sensor) the
deluge is simply dropped, rather than propogating the DoS downstream
into your analytic system or your helpdesk or whatever is the
chokepoint.

-Bennett

Attachment: _bin
Description: