[Snort-users] Archiving events via BASE
a0037 at ...14157...
Fri Jun 22 12:46:32 EDT 2007
On Fri, Jun 22, 2007 at 03:23:05AM -0700, David Ryan wrote:
> There seems to be a problem with the archiving function,
> but I don't know if I am using it incorrectly. I had one
> particular alert with 15,000+ events, so I went in to the
> view of unique alerts, selected the relevant icon on the
> list and selected 'archive (move) selected' from the actions.
> After a long time the transaction seemed to finish OK,
> but when I went in to look at it again there was still
> some large number of these events . . . maybe 5,000+.
> I checked the archive database and many of the entries
> had been moved. I repeated the procedure and it came down
> to 1,000+ events. Then I repeated it and it left 1.
> No matter how many times I repeat, this 1 event will not move.
> So, here's the question - how come when I asked BASE to move
> all the records of a particular type it only moved part of them,
> and how come it refuses to move the last transaction ?
> It makes me a bit wary of the archive funtion if it has this
> type of issue.
php knows a timeout for each script. BASE increases this timeout
a little bit, but not enough for such a huge number of alerts.
In base_conf.php look for a line like
$max_script_runtime = 180;
Set this to 6000 or whatever:
$max_script_runtime = 6000;
More information about the Snort-users