Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Performance Question

From: twig les <twigles () yahoo com>
Date: Thu, 19 Feb 2004 21:34:34 -0800 (PST)

--- Martin_Bündgens <mb () insidetheweb de> wrote:

Hallo,

i installed Snort 2.01 as SuSE 9 RPM. The programm itself logs
all rule
faults in /var/log/snort as complete snort.log + creates for
all ips an
extra folder inclusive the fault message as single file from
the ip.

My first question, is this a common option that snorts creates
an extra
folder for all ips ?
If not, how to deactivate it.

Second question, can these tons of folders/files (about
2000-5000) can
effect the server performance ?

I don`t think so, but one person from our data center insists
on that the
"snort" logging process
is the problem for high loads in combination with logrotate.

Thanks for your time.

Regards,
Martin Bündens



1. This is a default behavior that you can turn off with the -N
switch.

2. There are 3 major ways to measure server performance (IMO,
don't fillet me plz): CPU, Memory and disk I/O.  This logging to
disk will hurt you on disk I/O.  Screw around with vmstat and
see if your disk is the biggest bottleneck.  They can take up a
lot of room too and gzipping a 250 meg file on a production box
is no fun either, can peg the CPU some which may be what your
data center buddy is talking about.  If so tell him to renice
the proc for starters.  

I don't personally find this structure to be very helpful but
some people use the info for homegrown shell or perl scripts. 
It's up to you.

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: