[Snort-users] multiple instances of snort and barnyard
sanderson at ...11591...
Wed Aug 23 10:41:05 EDT 2006
I run several instances of Snort on SuSE Linux (to monitor traffic on
2-3 NICs) and I have been logging directly to a MySQL database. I would
like to start using the unified output and barnyard. I have it working
for the most part, the problem is I have a unified output file for each
interface that I have snort listening on and I can't get multiple
instances of barnyard to run in continuous mode to process each log
I'd prefer to run barnyard in batch mode in 10 minute intervals on each
log file, I can't seem to do that either without restarting snort each
time after I run barnyard to create a new unified log file.
Is there a way to run barnyard in batch mode so that each time it's run
against a file it only processes events that it hasn't processed before?
Or, is there a way to have multiple continuous instances of barnyard
running so each instance can maintain its corresponding snort unified
Or, is there a better way to have each event captured by snort
associated with the network interface it was detected on?
SuSE Enterprise 9
More information about the Snort-users