[Snort-users] Re: Project PigRoast and logging...

Jason Haar Jason.Haar at ...294...
Wed Oct 11 18:40:17 EDT 2000


On Wed, Oct 11, 2000 at 12:12:49PM +0200, Gregor Binder wrote:
> Jason Haar on Wed, Oct 11, 2000 at 04:04:18PM +1300:
> 
> Hi,
> 
> > Why bother with grotty old syslog when you can have several snort servers
> > dumping to the same SQL server?
> 
> for real-time alerts.

Ah yes - but even these aren't "real" real-time alerts - you're tail'ing
syslog right? 

As such, turn on logging in Mysql and do the same thing there...

> I can't say much about MySQL, but an SQL server is a more complex
> system than a syslog server, thus it has a higher potential of failure
> and scaling it is more expensive. Achieving high availability is more
> difficult, expensive and error prone than doing this with a syslog
> server.
> 
> I think collecting intrusion data in a database is a good idea, but I
> wouldn't use it as the only means to do so, and I would be careful
> not to make it the SPOF of my intrusion detection system.
> 
> syslog-ng can do logging over tcp as well, btw.
> 


Hmmm, TCP based, and certainly simpler....

Hard one to beat - I agree with you! :-)

MySQL for long-term analysis, syslog-ng for alerts, Mmmmmmm.... :-)

-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
               



More information about the Snort-users mailing list