Snort mailing list archives

RE: More than one output module

From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Thu, 15 Jul 2004 12:51:53 -0400

I just took a 4 second look at barnyard and oracle didn't pop out at me,
does barnyard log to Oracle?

J

-----Original Message-----
From: sekure [mailto:sekure () gmail com] 
Sent: Thursday, July 15, 2004 11:29 AM
To: Esler, Joel - Contractor
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] More than one output module

Joel,

All things considered, database inserts (especially across a network)
take a long time when compared to writing to a local file. 
Considering the fact that you are outputing to two different databases
and also to syslog, i wouldn't be suprirsed if snort is struggling to
keep up, depending on the rate of alerts.

With your configuration have you thought about letting snort do what
it's supposed to do -- sniff and analyze traffic, and configure barnyard
to handle database logging and syslog.  Just configure snort to log in
unified format (very fast), and set barnyard up with multiple output
plugins.

I think you'll have much more luck in that configuration.

----- Original Message -----
From: Esler, Joel - Contractor <joel.esler () rcert-s army mil>
Date: Thu, 15 Jul 2004 10:57:39 -0400
Subject: [Snort-users] More than one output module
To: snort-users () lists sourceforge net

Has anyone experianced any problems with outputting to more than one
output module?  Is there a reason for it? Does the order matter?

I have Snort logging to mysql, oracle, and syslog.  But it seems when
syslog is turned, occasionally an alert will be missed in the db?

J

-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idG21&alloc_id040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

More than one output module Esler, Joel - Contractor (Jul 15)
- Re: More than one output module sekure (Jul 15)
- <Possible follow-ups>
- RE: More than one output module Joshua Berry (Jul 15)
- RE: More than one output module Esler, Joel - Contractor (Jul 15)
  - Re: More than one output module sekure (Jul 15)