Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Sanity check for high volume logging

From: "Zarathustra Ubermensch" <zubermensch () hotmail com>
Date: Mon, 07 Jan 2002 16:34:41 -0500
Hello,
Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23
I'm currently monitoring some pretty high traffic levels and am logging them to mysql with the following command lines in my snort.conf
output database: log, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost
output database: alert, mysql, user=mysql sensor_name=sensor.company.com dbname=snort host=localhost
Performance is lacking, so I'd like to switch to binary logging by using something like "output log_tcpdump: sensor.company.com-tcpdump.log" 


My questions:
1. Will this capture both "log" and "alert" information similar to the way in which my current mysql config works? ie Will I get the same data regardless of the logging mechanism (tcpdump or mysql)?
2. I'd still like to aggregate this data to a much beefier database server for long term trend analysis. Can I use a different snort.conf file that uses "output database" configs and simply replay the tcpdump logs against that snort.conf to populate the database?
I'm pretty sure I already know the answers, but I thought I'd ask JIC there's a better way to do this. Thanks for any help that you can give. 

_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: