Re: Database logging

[Jed Pickel <jed () pickel net>]

On Tue, Aug 07, 2001 at 06:07:22PM +0100, Mayers, Philip J wrote:
> I'm trying to database log into Postgresql, and am having some problems:
>
> 1) We're dropping a small (5%) amount of packets, although we are under high
> load 
> 2) After an indeterminate period of time, Postgresql (7.1.2) seems to go
> belly up and snort dies.

There are a couple circumstances that can cause a fatal error in the
database plugin resulting in snort quitting in both the 1.8 and 1.8P1
of snort. This was recently corrected in the development version. If
you get a chance, you may want to grab the latest devel version at the
following url and see if this prevents things from going "belly
up". 

     http://snort.sourceforge.net/snort-daily.tar.gz

If this does not fix the problem let me know.

> So, what I want to do is either:
>
> 1) Log to a pcap/binary file, HUP snort hourly to re-open the files, and
> then run a second copy of snort with the same ruleset, *just* logging into
> Postgres. However, I do this:
>
> /usr/local/bin/snort -A none -c snort-dblog.conf -r snort-<date>.log
>
> This doesn't work - and if I do -A fast/full, I get the alert file/IP-base
> directories, which I don't want. Either way, postgres never seems to get the
> logs.

The -A or -s command line options override ALL of your output
plugins. If you loose the "-A none" that command will work as you
expect.

* Jed

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users