[Snort-users] snort-mysql, logging on TWO sql servers
Dirk Geschke
Dirk at ...10648...
Sat Nov 29 12:22:02 EST 2003
On Sat, 2003-11-29 at 18:48, Michel Christophe wrote:
> Hello
>
> I run snort on two separated networks linked over VPN. Snort logging to
> both sql servers taken separately work fine, so does the VPN.
>
> For security reasons, I would like to mirror the logging of one snort
> sensor to both sql servers..
[...]
> Before I run in big headaches, I would like to ask this list first if
> such a dual logging is possible ??
Yes, it is.
> Then, if this is possible (which I hope), could you enlighten me how
> should I fiddle with snort's config file:
>
> Should I add a second snort-database logging config line such as
> follows:
>
> output database: log, mysql, user=XXXXX password=YYYYY dbname=snort
> host=MACHINE-B encoding=hex detail=full
This is the right configuration. But note: Each output plugin
has to be finished before snort can start to analyze the next
network packet. Especially inserting data in a remote database
is a time consuming procedure. This one of the many reasons I
started to code FLoP: http://www.geschke-online.de/FLoP/ ;-)
(Sorry, but a little bit advertising should not matter...)
Best regards
Dirk
More information about the Snort-users
mailing list