Re: 2GB limit on alert log (For Keith)

["Aaron" <snort () microchp org>]

I knew this would make no sense to those who do things the 
right way.  Don't get me wrong Keith, you are 100% 
correct.

This is all part of a long, really messed up political 
thing.  I don't much like politics so I just sit back and 
watch people do stupid sh.t every day.

On the flip side however, the 50GB files are from another 
application unrelated to snort.  That was just an example 
showing that the file system was not limited to 2GB. 
Really an obscure reference.   If the file were to grow 
unrestricted, it would be about 3.5 to 5GB per month, of 
which compresses down really nice.  The plan, or at least 
my plan is to rotate monthly.

Yup... In the world of real time monitoring and fixing 
stuff, well, this just isn?t there for that.  It is to 
make purdy reports for a few folks.  I am supposed to 
archive the data as well for the goofy ass title of sas-70 
type II rating.  I so despise doing things in a 
superficial manner strictly for the purpose of making 
something look good on paper. How can we get that rating 
without monitoring stuff you ask?  I asked that too.  "An 
owl heard it. An odd dog barked." --D.A.

In reality, you or I would not do something like this and 
would dedicate at least 5 or 6 people to monitoring and 
researching alerts.  This is just a weird dream, so that 
ain't happenin.

When I used MySQL, that was great, but honestly I didn?t 
have the time to monitor it and was not allowed to spend 
more than 1 hour a day on it.  I spent allot of time 
maintaining the database that nobody could look at.  That 
is why it is now going to the "set it and forget about it" 
mode, thus the need for snort to keep running even if the 
logs should grow over the 2GB limit.

I know this answer does not really begin to touch on 
anything that would satisfy your curiosity.  Honestly, if 
you knew the whole story it would probably make you 
physically ill as it does me.  They keep blowing holes in 
me ship.



[snip...]
> OK. My curiosity is getting the better of me. Why on
> earth would you
> want a 50GB flat file full of logs? Presumably, at some
> point, you
> have to move this into a database, otherwise any type of
> meaningful
> analysis and/or follow-up is not possible, without
> modifying the
> original log, which is not possible :)
[snip...]





-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users