[Snort-users] More than one output module

Esler, Joel - Contractor joel.esler at ...9426...
Thu Jul 15 09:54:16 EDT 2004


I just took a 4 second look at barnyard and oracle didn't pop out at me,
does barnyard log to Oracle?

J

-----Original Message-----
From: sekure [mailto:sekure at ...11827...] 
Sent: Thursday, July 15, 2004 11:29 AM
To: Esler, Joel - Contractor
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] More than one output module


Joel,

All things considered, database inserts (especially across a network)
take a long time when compared to writing to a local file. 
Considering the fact that you are outputing to two different databases
and also to syslog, i wouldn't be suprirsed if snort is struggling to
keep up, depending on the rate of alerts.

With your configuration have you thought about letting snort do what
it's supposed to do -- sniff and analyze traffic, and configure barnyard
to handle database logging and syslog.  Just configure snort to log in
unified format (very fast), and set barnyard up with multiple output
plugins.

I think you'll have much more luck in that configuration.


----- Original Message -----
From: Esler, Joel - Contractor <joel.esler at ...9426...>
Date: Thu, 15 Jul 2004 10:57:39 -0400
Subject: [Snort-users] More than one output module
To: snort-users at lists.sourceforge.net


Has anyone experianced any problems with outputting to more than one
output module?  Is there a reason for it? Does the order matter?
 
I have Snort logging to mysql, oracle, and syslog.  But it seems when
syslog is turned, occasionally an alert will be missed in the db?
 
J




More information about the Snort-users mailing list