[Snort-users] mysql.php3 - performance issues.
cmg at ...671...
Thu Oct 19 22:45:35 EDT 2000
In helping think about these problems with other processing scripts,
the real idea is to store a lot of the information pre-processed and
then incrementally add the new stuff. Unfortunately, this jump is
often not a trivial hop.
Maybe a cron job that performs tally's into the DB hourly. Without
doing this, its hard to even get to daily resolution in a reasonable
amount of time. A half million+ events isn't going to be something
you want to wait for each time. I doubt switching DB backends would
help you out - you've got non trivial amounts of processing to do.
Short term solution is look at hourly/daily
Long term is redesign the processing methodology or wait till someone
does else does it first...
Jason Boyer <jason at ...418...> writes:
> Currently logging all alerts to MYSQL as well as to a log file , problem
> is that using the mysql.php3 script that came with snort it takes almost
> a full hour to process and load. What is the better approach to making
> this script load faster ? Only two options I saw were either to switch
> databases or limit the amount of logging I am doing to the mysql
> database. Currently the database has about 550,000 events in it which is
> one month's activity. (Snort box is p3 550 / 128MB Ram) Any other ideas
> / suggestions would be helpful.
Chris Green <cmg at ...671...>
A good pun is its own reword.
More information about the Snort-users