[Snort-users] 1 alert but 2 events in database backend?
bianco at ...5229...
Wed Mar 27 05:09:03 EST 2002
Vincent Chen writes:
> Dear all,
> I am running snort 1.8.4 on FreeBSD and using
> postgresql as backend. Recently, I found that every
> alert will generate 2 entries in event table. Is this
> a bug or I should check my configuration? Version
> 1.8.3 has the same problem on my system.
It probably means you have the SQL output set to send both logs and
alerts to the database. Many events trigger as both, but you
generally only want to send alerts to the database. This is a pretty
common misconfiguration. Look for lines in snort.conf like:
output database: alert, postgresql, user=snort dbname=snort
output database: log, postgresql, user=snort dbname=snort
You probably have both uncommented. Just comment out the one that
starts "output database: log" and you'll likely find the problem
has cleared up.
David J. Bianco, GSEC <bianco at ...5229...>
Thomas Jefferson National Accelerator Facility
The views expressed herein are soley those of the author and
not those of SURA/Jefferson Lab or the US DOE.
More information about the Snort-users