[Snort-users] Sanity check for high volume logging
zubermensch at ...125...
Mon Jan 7 13:35:03 EST 2002
Config: snort 1.8.1 running under Solaris 8 (netra t1) with mysql 3.23
I'm currently monitoring some pretty high traffic levels and am logging them
to mysql with the following command lines in my snort.conf
output database: log, mysql, user=mysql sensor_name=sensor.company.com
output database: alert, mysql, user=mysql sensor_name=sensor.company.com
Performance is lacking, so I'd like to switch to binary logging by using
something like "output log_tcpdump: sensor.company.com-tcpdump.log"
1. Will this capture both "log" and "alert" information similar to the way
in which my current mysql config works? ie Will I get the same data
regardless of the logging mechanism (tcpdump or mysql)?
2. I'd still like to aggregate this data to a much beefier database server
for long term trend analysis. Can I use a different snort.conf file that
uses "output database" configs and simply replay the tcpdump logs against
that snort.conf to populate the database?
I'm pretty sure I already know the answers, but I thought I'd ask JIC
there's a better way to do this. Thanks for any help that you can give.
Send and receive Hotmail on your mobile device: http://mobile.msn.com
More information about the Snort-users