[Snort-users] Re: Project PigRoast and logging...
gbinder at ...462...
Wed Oct 11 06:12:49 EDT 2000
Jason Haar on Wed, Oct 11, 2000 at 04:04:18PM +1300:
> Why bother with grotty old syslog when you can have several snort servers
> dumping to the same SQL server?
for real-time alerts.
I am using syslog-ng to do this, and I have to say I'm quite happy
> I mean syslog is UDP and lossy, etc, etc....
I can't say much about MySQL, but an SQL server is a more complex
system than a syslog server, thus it has a higher potential of failure
and scaling it is more expensive. Achieving high availability is more
difficult, expensive and error prone than doing this with a syslog
I think collecting intrusion data in a database is a good idea, but I
wouldn't use it as the only means to do so, and I would be careful
not to make it the SPOF of my intrusion detection system.
syslog-ng can do logging over tcp as well, btw.
Gregor Binder <gbinder at ...462...> http://www.sysfive.com/~gbinder/
sysfive.com GmbH UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany TEL +49-40-63647482
More information about the Snort-users