Re: More than one output module

[sekure <sekure () gmail com>]

Joel,

All things considered, database inserts (especially across a network)
take a long time when compared to writing to a local file. 
Considering the fact that you are outputing to two different databases
and also to syslog, i wouldn't be suprirsed if snort is struggling to
keep up, depending on the rate of alerts.

With your configuration have you thought about letting snort do what
it's supposed to do -- sniff and analyze traffic, and configure
barnyard to handle database logging and syslog.  Just configure snort
to log in unified format (very fast), and set barnyard up with
multiple output plugins.

I think you'll have much more luck in that configuration.


----- Original Message -----
From: Esler, Joel - Contractor <joel.esler () rcert-s army mil>
Date: Thu, 15 Jul 2004 10:57:39 -0400
Subject: [Snort-users] More than one output module
To: snort-users () lists sourceforge net


Has anyone experianced any problems with outputting to more than one
output module?  Is there a reason for it? Does the order matter?
 
I have Snort logging to mysql, oracle, and syslog.  But it seems when
syslog is turned, occasionally an alert will be missed in the db?
 
J


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users