[Snort-users] More than one output module

Esler, Joel - Contractor joel.esler at ...9426...
Thu Jul 15 09:54:16 EDT 2004

I just took a 4 second look at barnyard and oracle didn't pop out at me,
does barnyard log to Oracle?


-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Thursday, July 15, 2004 11:29 AM
To: Esler, Joel - Contractor
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] More than one output module


All things considered, database inserts (especially across a network)
take a long time when compared to writing to a local file. 
Considering the fact that you are outputing to two different databases
and also to syslog, i wouldn't be suprirsed if snort is struggling to
keep up, depending on the rate of alerts.

With your configuration have you thought about letting snort do what
it's supposed to do -- sniff and analyze traffic, and configure barnyard
to handle database logging and syslog.  Just configure snort to log in
unified format (very fast), and set barnyard up with multiple output

I think you'll have much more luck in that configuration.

----- Original Message -----
From: Esler, Joel - Contractor <joel.esler at ...9426...>
Date: Thu, 15 Jul 2004 10:57:39 -0400
Subject: [Snort-users] More than one output module
To: snort-users at lists.sourceforge.net

Has anyone experianced any problems with outputting to more than one
output module?  Is there a reason for it? Does the order matter?
I have Snort logging to mysql, oracle, and syslog.  But it seems when
syslog is turned, occasionally an alert will be missed in the db?

More information about the Snort-users mailing list