[Snort-users] Big MySQL-Database

Patrice Boulanger pboulanger at ...7942...
Wed Jan 8 03:50:06 EST 2003


hello snort user,

you could use the mysqlhotcopy command to copy your database:

mysqlhotcopy -p=<password> --allowold snortdb SnortAcid

this command copy the database snort to a new db SnortAcid (created if
necessary). You must use --allowold because mysqlhotcopy will abort if
target already exists. You could also use --keepold (try mysqlhotcopy --help
for signification). Beware that the SnortAcid database will be lost on each
rotation.

after the hot copy, you must also delete lines from the snort database:
for example:

---------------------- (not tested !!!)

for i in "acid_ag acid_ag_alert acid_event acid_ip_cache data detail
encoding event icmphdr iphdr opt reference reference_system schema sensor
sig_class sig_reference signature tcphdr udphdr'; do
	echo "delete from $i;" | mysql -D snort -p <password>
done

---------------------- (not tested !!!)

put this two commands in a shell script and add a cron entry to run it every
2 days.

Hope it will help you.

Regards,

-----Message d'origine-----
De : snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]De la part de Kraus,
Thorsten
Envoyé : mercredi 8 janvier 2003 11:50
À : snort-users at lists.sourceforge.net
Objet : [Snort-users] Big MySQL-Database


Hello Snort Users,

I've set up an Snort system on linux. I use MySQL to store the data from
snort a; nd I use ACID to analyze this data.
But when snort runs a few days, the database is very big and acid runs only
very slowly.

I want to store the data only for eg. 2 days in the database. If the 2 days
are over, then the database should be copied to snortAcidOld and a new
database named SbortAcid should be created. Have you any idea how I can
solve this problem in this or any other way?

I'm looking forward to your answers!



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld =omething 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=ort-users





More information about the Snort-users mailing list