[Snort-users] new user, great product, but ...
neil at ...1633...
Tue Apr 22 14:09:11 EDT 2003
"Allen, Garrett" <Garrett.Allen at ...8966...> wrote:
[ ... ]
>we were able to quickly detect where
>the problem originated from and shut the machine down. but in the meantime
>snort generated enough log files to fill /var. ouch. any way to slow down
>the volume of log entries? any other operational tips?
You could use a command-line option to put the log files somewhere
other than /var until you get mysql going. Use a filesystem with
*lots* of space, and that won't cause the operating system to pitch
a fit if it should happen to get packed.
Something like ...
snort < ... > -l $LOGPATH < ... >
... should do it. The filesystem I'm currently using is a 10-gig
partition, though I've never needed anything like that much space.
I set it up right after I stuffed my original and smaller log
directory during a packet storm one day. ;-)
It happens sometimes.
Just curious: What did y'all do to the salesman?
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users