Re: snort-mysql, logging on TWO sql servers

[Dirk Geschke <Dirk () geschke-online de>]

On Sat, 2003-11-29 at 18:48, Michel Christophe wrote:
> Hello
>
>       I run snort on two separated networks linked over VPN. Snort logging to
> both sql servers taken separately work fine, so does the VPN.
>
>       For security reasons, I would like to mirror the logging of one snort
> sensor to both sql servers..

[...]

> Before I run in big headaches, I would like to ask this list first if
> such a dual logging is possible ??

Yes, it is.

> Then, if this is possible (which I hope), could you enlighten me how
> should I fiddle with snort's config file:
>
> Should I add a second snort-database logging config line such as
> follows:
>
> output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> host=MACHINE-B encoding=hex detail=full

This is the right configuration. But note: Each output plugin 
has to be finished before snort can start to analyze the next 
network packet. Especially inserting data in a remote database 
is a time consuming procedure. This one of the many reasons I
started to code FLoP: http://www.geschke-online.de/FLoP/ ;-)
(Sorry, but a little bit advertising should not matter...)

Best regards

Dirk



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users