[Snort-users] Archiving events via BASE

Info info at ...2282...
Fri Jun 22 18:28:18 EDT 2007


Additionally at least as of 1.2.7 of BASE the archiving was still not
optimized for speed or performance, so it will be a very slow and lengthy
process.  Typically I recommend that you archive more frequently, and then
simply dump the archive database every month or so (depending on your
traffic).  I seldom archive anything after 45 days.  In a high
traffic/logging environment you may wish to keep even less.  

Cheers,

James Friesen, CIO
Lucretia Enterprises
Our World Is Here...
http://lucretia.ca
 

-----Original Message-----
From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of a0037
Sent: Friday, June 22, 2007 10:47 AM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Archiving events via BASE

On Fri, Jun 22, 2007 at 03:23:05AM -0700, David Ryan wrote:
 
> There seems to be a problem with the archiving function, but I don't 
> know if I am using it incorrectly.  I had one particular alert with 
> 15,000+ events, so I went in to the view of unique alerts, selected 
> the relevant icon on the list and selected 'archive (move) selected' 
> from the actions.
> After a long time the transaction seemed to finish OK, but when I went 
> in to look at it again there was still some large number of these 
> events . . . maybe 5,000+.
> I checked the archive database and many of the entries had been moved.  
> I repeated the procedure and it came down to 1,000+ events.  Then I 
> repeated it and it left 1.
> No matter how many times I repeat, this 1 event will not move.
> 
> So, here's the question - how come when I asked BASE to move all the 
> records of a particular type it only moved part of them, and how come 
> it refuses to move the last transaction ?
> It makes me a bit wary of the archive funtion if it has this type of 
> issue.

Hi,

php knows a timeout for each script. BASE increases this timeout a little
bit, but not enough for such a huge number of alerts.
In base_conf.php look for a line like

	$max_script_runtime = 180;

Set this to 6000 or whatever:

	$max_script_runtime = 6000;

Bye, bye,

Juergen


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express Download DB2 Express C - the
FREE version of DB2 express and take control of your XML. No limits. Just
data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list