Snort mailing list archives
Re: Snort populates Mysql a lot
From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Thu, 23 Dec 2010 09:54:13 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On Dec 23, 2010, at 10:04 AM, J. L. Cabral wrote: Dear, Snort 2.9 is working fine, but I have a problem: in 3 days I get more than 1.000.000 alerts visualizated in BASE, and so the access to this web interafce is very slowly. I had to delete all the data from the mysql tables and start Snort again. Can you give me any advice to get the alerts without affect the performance of the system ??? And how many alerts approximately can MySQL stores without crash ???
There are some performance and memory adjustments you can make to MySQL to enhance the performance of MySQLd. Such examples would include enabling caches, indices's, and disabling unused storage engines. I have several tables which commonly see about 1.000.000 rows of data or more daily. If you're not familiar with performance adjustments to MySQL may I suggest a Perl script, available at http://mysqltuner.pl/mysqltuner.pl as a very good starting point to asses some adjustments you can make to increase performance. The root issue could be three key items: 1) MySQL box isn't strong enough to handle the query load. 2) MySQL needs some performance tuning and adjustments. 3) Superfluous alerts need to be disabled or removed (as Joel indicated) I hope this was helpful. - -evilghost -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJNE3ClAAoJENgimYXu6xOHW6IP/0kObFYiPN5OIDKcRoDeD7vD mPLBpfh4VR+HwEm2GkihbyVGnUygWCxCTtsk+sfrpSe7/9wZqI3au9L/feL6+at/ AWFNm5hWT5R9cZOwhNXCMruchlmSDXxc2R5wF+FNgIIP31anZPtPIT61PBtKEGCh lNuFbcgDtH3jaL8/FlaCIIAK5X/c7KgikhGs1cSa/3dOIZujhD6fVAKCrgt7zgjY 5BhMBFE0WDYOXSqglEtvYRmW52x3xj4Dwl7Sg8gXrPepLniYKxdQZugMPXv+jKHE PcEMhERRcs1NvwDHr9Vy5xGURXwpTT2uihKaJFN/7pxkggtXlYnZKajICZPGZj38 2zxk9ISUAzu0URUIihI5k4sTSGsWYWlco/RM8mqYM5yR7Qi79FvFtZiIJ/q8IzXR jl77mFdGa+p8XX5xps1WDZsH8cE+x0o4uFLIBWReqzT7UeVuOU8ZbjzB7M/CTiUC 44baFP0y2335BG25jBLE4ebNwJ/+IxtMClGyxu3L9/p3MNAEw6kRRj1ZSiB5GBVb E/QybfDC3eTJk3mXmBAkA1a27sD5JoxOgXX83oTBiGDl+VrxmOobeiL6M4oa1emx kDjech6fhz12tt5xbuE5IM30eSs8IeBz7/UtNsnJf2uUM4oNKotIipgxr01ArETF NloH82rx8sHT0iTLLWsj =aNk6 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot Dustin Webber (Dec 23)
- Re: Snort populates Mysql a lot evilghost () packetmail net (Dec 23)
- <Possible follow-ups>
- Re: Snort populates Mysql a lot Gregory Zill (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Matt Watchinski (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 30)
- Re: Snort populates Mysql a lot J. L. Cabral (Dec 23)
- Re: Snort populates Mysql a lot Joel Esler (Dec 23)