[Snort-users] 2GB limit on alert log

Keith W. McCammon mccammon at ...11827...
Wed Jul 21 12:33:10 EDT 2004


> Has anyone found a good procedure for getting past the 2GB
> limit on snorts alert log?
> 
> Before anyone suggests this, the problem is not a
> filesystem imposed limit.  On the same fs, I have other
> apps dumping 20-50GB files daily.

OK.  My curiosity is getting the better of me.  Why on earth would you
want a 50GB flat file full of logs?  Presumably, at some point, you
have to move this into a database, otherwise any type of meaningful
analysis and/or follow-up is not possible, without modifying the
original log, which is not possible :)

> My logs easily grow to this size within a week and minimal
> logging enabled so I have to find a way around this and
> putting in more sensors is not an option.  I have several
> heavily populated /17's behind this sensor and that is not
> going to change.

What do you do with these files all week?  How do you analyze and
manage alerts?  Again, this is strictly curiosity.
 
> MySQL is not an option either.  I kicked that beeotch to
> the curb some time ago.  Flat files, shell scripts and
> snortalog are the only sensible way to go for me.  : - )

This is great, if all you ever want are reports.  I'm all for using
something like SnortALog for an overview.  But on the flip side, I'd
want to have some actual analysis going on.  If your network is as
large as you indicate, and you have a need for countless GB of logs
every day, then it would seem to me that you have some pretty serious
security concerns.  Thus, you probably have a need for some type of
analysis (read: you need to be doing something with all those logs
aside from just collecting them).

Last time: I'm sorry for not offering a solution.  I don't know of
one.  I'm just very interested in your methodology, if you don't mind
indulging me (us).

Cheers

Keith




More information about the Snort-users mailing list