[Snort-users] Distributed Snort management
bnelson at ...5464...
Wed May 21 18:16:06 EDT 2003
I have many snort sensors that are distributed across large geographic boundaries. Maintaining and monitoring these installations is starting to become trouble-some. I have started using SnortCenter to manage and push out rules (which is working great BTW), but I need to figure out a good way to centralize the data and alerts that Snort comes up with.
At first I thought that I could just make all of the sensors log to a centralized MySQL server (all logging to the same database) over stunnel or something like that, but what if a sensor loses connectivity to the MySQL server? I'd lose all of the alerts generated during that time frame(I guess I could log them to flat files on disk as well, but that would defeat the purpose of using a database...no?)
Then I though maybe I could set up TWO output directives to log all alerts to two separate databases (one local to the sensor and the remote one), but then re-synchronizing the sensor's database to the main MySQL server becomes a problem when connectivity is re-established.
I could also just use MySQL's built in replication (over stunnel again). That would solve my problem of re-synchronizing databases when connectivity came back (MySQL handles all of that), but then I'd have to have a separate database for each sensor since MySQL doesn't support replication of multiple masters to a single slave (does any database supported by snort do this?). Ideally, I'd like to have all alerts from all sensors go into the SAME database.
Is anyone else in a similar situation? What did you do to centralize your alerts? I'm really open to suggestions......having ACID loaded onto EVERY sensor seems like a waste (not to mention a pain to check regularly).
More information about the Snort-users