[Snort-users] 2GB limit on alert log (For Keith)
snort at ...10572...
Thu Jul 22 10:28:16 EDT 2004
I knew this would make no sense to those who do things the
right way. Don't get me wrong Keith, you are 100%
This is all part of a long, really messed up political
thing. I don't much like politics so I just sit back and
watch people do stupid sh.t every day.
On the flip side however, the 50GB files are from another
application unrelated to snort. That was just an example
showing that the file system was not limited to 2GB.
Really an obscure reference. If the file were to grow
unrestricted, it would be about 3.5 to 5GB per month, of
which compresses down really nice. The plan, or at least
my plan is to rotate monthly.
Yup... In the world of real time monitoring and fixing
stuff, well, this just isn?t there for that. It is to
make purdy reports for a few folks. I am supposed to
archive the data as well for the goofy ass title of sas-70
type II rating. I so despise doing things in a
superficial manner strictly for the purpose of making
something look good on paper. How can we get that rating
without monitoring stuff you ask? I asked that too. "An
owl heard it. An odd dog barked." --D.A.
In reality, you or I would not do something like this and
would dedicate at least 5 or 6 people to monitoring and
researching alerts. This is just a weird dream, so that
When I used MySQL, that was great, but honestly I didn?t
have the time to monitor it and was not allowed to spend
more than 1 hour a day on it. I spent allot of time
maintaining the database that nobody could look at. That
is why it is now going to the "set it and forget about it"
mode, thus the need for snort to keep running even if the
logs should grow over the 2GB limit.
I know this answer does not really begin to touch on
anything that would satisfy your curiosity. Honestly, if
you knew the whole story it would probably make you
physically ill as it does me. They keep blowing holes in
>OK. My curiosity is getting the better of me. Why on
>earth would you
>want a 50GB flat file full of logs? Presumably, at some
>have to move this into a database, otherwise any type of
>analysis and/or follow-up is not possible, without
>original log, which is not possible :)
More information about the Snort-users