AW: what would be the appropriate thing to do?

["Poppi, Sandro" <Sandro.Poppi () wacker com>]

Hi Neil, 
> Hi Sandro,
>
> Thanks for the idea. I've got a question though on barnyard.
> This means that logging from branch site to main site via 
> barnyard will not
> be realtime, am I correct?

I would say nearly realtime: Snort logs to a file and barnyard reads that
file. Barnyard can be started as a daemon just like snort and process the
file in realtime. There will be a lag between snort writing to the file and
barnyard reading the alert but that should be in millisecs so I would say
it's still realtime ;)

> Is there any equivalent parameter of unified logging in the 
> command line?

I didn't find it in the man page so I would say no.

Ciao,
Sandro
> ----- Original Message -----
> From: "Poppi, Sandro" <Sandro.Poppi () wacker com>
> To: "'Onie Camara'" <neil () restricted dyndns org>;
> <Snort-users () lists sourceforge net>
> Sent: Thursday, April 04, 2002 11:10 PM
> Subject: AW: [Snort-users] what would be the appropriate thing to do?
>
>
> > I'm in the same situation right now. I thought of using the 
> following
> > szenario:
> >
> > - let snort use the unified output plugin
> > - use barnyard to send the data to a central mysql database
> > - use stunnel to encrypt the barnyard-db connection
> >
> > With this configuration there shouldn't be a performance 
> issue with snort
> > because snort only logs locally. What could be a perfomance 
> issue is when
> > there are a lot of alerts to be sent to the db and the wan 
> line is already
> > busy, but that's another question.
> >
> > I will test that hopefully soon in my lab.
> >
> > Any comments?
> >
> > BTW, the barnyard homepage is 
> http://sourceforge.net/projects/barnyard
> > HTH,
> > Sandro
> > > Ok. Assuming I have setup many sensors on the main ofc and
> > > few more sensors
> > > on another branch.
> > > These sensors logs to mysql db. On the branch site, it does
> > > not log to mysql
> > > located in the main ofc.
> > >
> > > I recall a post that someone mentioned about rsync but I
> > > couldnt remember
> > > how it was used.
> > >
> > > 1. Would it be a good idea to configure branch site to log to
> > > the main site?
> > > I'm seeing performance
> > > degradation here as it will use the wan connection.
> > >
> > > 2. In just one site, say main ofc, is it a good idea to 
> configure the
> > > sensors to log to a main mysql server?
> > >
> > > 3. What would be the best design of snort if I will install
> > > if the network
> > > is Enterprise.
> > >
> > > Thanks.
> > >
> > > Neil
> > >
> > >
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users