[Snort-users] Re: Project PigRoast and logging...

Gregor Binder gbinder at ...462...
Wed Oct 11 06:12:49 EDT 2000


Jason Haar on Wed, Oct 11, 2000 at 04:04:18PM +1300:

Hi,

> Why bother with grotty old syslog when you can have several snort servers
> dumping to the same SQL server?

for real-time alerts.

I am using syslog-ng to do this, and I have to say I'm quite happy
with it.

> I mean syslog is UDP and lossy, etc, etc....

I can't say much about MySQL, but an SQL server is a more complex
system than a syslog server, thus it has a higher potential of failure
and scaling it is more expensive. Achieving high availability is more
difficult, expensive and error prone than doing this with a syslog
server.

I think collecting intrusion data in a database is a good idea, but I
wouldn't use it as the only means to do so, and I would be careful
not to make it the SPOF of my intrusion detection system.

syslog-ng can do logging over tcp as well, btw.

Greetings,
  Gregor.

-- 
Gregor Binder  <gbinder at ...462...>  http://www.sysfive.com/~gbinder/
sysfive.com GmbH             UNIX. Networking. Security. Applications.
Gaertnerstrasse 125b, 20253 Hamburg, Germany       TEL +49-40-63647482



More information about the Snort-users mailing list