[Snort-users] Logging to a central database

Ed Padin ohdamnthathurts at ...131...
Thu Apr 26 09:28:37 EDT 2001


I'm trying to have a central database for all snort data. I've set up
postgress and can get snort running on the local machine to log alerts and
packet paylogs to the snort database. I know want to get the data from my
remote nodes. Because of our security policies, it's more feasible for me to
transfer the data via secure file copy rather than doing a remote database
client. I read somewhere that a good method is to have snort log the packets
in tcpdump format and then transfer the tcpdump output files to the central
database server. I can then have another copy of snort run through the file
and log the packets in the sql database. The problem I am running into is
that snort seems to take all packets and log them, not just the ones that
match the filter expressions. The file gets way too big. What am I doing
wrong? Is there a better way to accomplish my goal?

I appreciate any help anyone can offer.


More information about the Snort-users mailing list