[Snort-users] Logging to a central database

shawn . moyer shawn at ...1184...
Fri Apr 27 12:50:41 EDT 2001


Ed Padin wrote:

> I can then have another copy of snort run through the file
> and log the packets in the sql database. The problem I am running into is
> that snort seems to take all packets and log them, not just the ones that
> match the filter expressions. The file gets way too big. What am I doing
> wrong? Is there a better way to accomplish my goal?


I'm doing this for several boxes right now via scp'ing the logs to one
central box with no major problems... What are the filter expressions
for?


I'm doing this with one central ruleset and just:

for i in /var/log/snort/remote/sensor_number/*.log ; do

/usr/local/bin/snort -o -p -c /etc/snort.rules -r ${i}

done


There's a bunch of other stuff as well, but that's the money shot. 

Seems to work fine.




--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner




More information about the Snort-users mailing list