Snort mailing list archives

RE: Acid database lost events, help!!!


From: Tinsley Paul <Paul.Tinsley () HCAhealthcare com>
Date: Wed, 21 May 2003 10:25:12 -0500

Looking at the size of the database isn't a good telling sign of how much
data you have in a MySQL database.  When records are deleted the space is
not reclaimed unless you specifically reclaim it.  From MySQL docs: "Deleted
records are maintained in a linked list and subsequent INSERT operations
reuse old record positions."

See http://www.mysql.com/doc/en/OPTIMIZE_TABLE.html for more information on
the subject.

One thing that you have to be careful with in reference to ACID is the
timeout you have set for PHP.  If it's in the middle of an operation and PHP
decides the task has been running too long, it will give your process the
axe.  If the code isn't written with that in mind it could easily corrupt
your data :( 

-----Original Message-----
From: Brei, Matt [mailto:mbrei () medclaiminc com]
Sent: Wednesday, May 21, 2003 9:46 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Acid database lost events, help!!!


I have been running snort for about 4 months.  The Snort db had about 12000
alerts and the archive db had about 19000.  I moved all of the alerts from
April to the archive db, ACID said it successfully moved 8000 alerts, which
SHOULD leave me with about 4000 in the main db and 27000 in the archive db.
The archive db only has about 20000 and the main db is now empty.  The
strange thing is, in the mysql db directory, none of the main Snort db file
sizes got any smaller and the archive files grew in size.  What happened to
the alerts?

Snort 1.9.1 on Redhat 7.2 alerts to
ACID v0.9.6b23, MySQL 3.23.56, Apache 2.0.45 on RedHat 8

Matt Brei


-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: