[Snort-users] More than one output module

sekure sekure at ...11827...
Thu Jul 15 08:30:02 EDT 2004


Joel,

All things considered, database inserts (especially across a network)
take a long time when compared to writing to a local file. 
Considering the fact that you are outputing to two different databases
and also to syslog, i wouldn't be suprirsed if snort is struggling to
keep up, depending on the rate of alerts.

With your configuration have you thought about letting snort do what
it's supposed to do -- sniff and analyze traffic, and configure
barnyard to handle database logging and syslog.  Just configure snort
to log in unified format (very fast), and set barnyard up with
multiple output plugins.

I think you'll have much more luck in that configuration.


----- Original Message -----
From: Esler, Joel - Contractor <joel.esler at ...9426...>
Date: Thu, 15 Jul 2004 10:57:39 -0400
Subject: [Snort-users] More than one output module
To: snort-users at lists.sourceforge.net


Has anyone experianced any problems with outputting to more than one
output module?  Is there a reason for it? Does the order matter?
 
I have Snort logging to mysql, oracle, and syslog.  But it seems when
syslog is turned, occasionally an alert will be missed in the db?
 
J




More information about the Snort-users mailing list