[Snort-users] Multiple sensors one database
beenph at ...11827...
Tue Apr 12 21:33:55 EDT 2011
On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
> Good afternoon,
> We are running two snort devices and attempting to get them both to record
> to one mysql database.
> Created database snort. Assigned permissions to sensor1 at ...15240... and
> sensor2 at ...15242... I installed Snort 188.8.131.52 schema so that databases
> would all look the same. Yes, I did have a single mysql database on each
> sensor but was told in that in order to run a particular Application, I
> would need a single database.
> We are using Snort 184.108.40.206 on Ubuntu 10.04.01 LTS. We are using Barnyard2.
> In the Barnyard2.conf file, we have an entry, “output database: log, mysql,
> user=snort password=snortpass dbname=snort host=10.10.12.1
> sensor_name='sensor1’ and have an identical entry for the second sensor.
> I have not made any configuration changes the my.cnf. It currently binds to
> 127.0.0.1 but should I have it bind to the Master
> # Instead of skip-networking the default is now to listen only on
> # localhost which is more compatible and is not less secure.
> bind-address = 10.10.12.1
> Is there anywhere else I need to check? Do I need to shutdown mysql on each
> sensor now?
> Thank you
I am not sure i clearly understand your statement, but on your second
sensor you should
have sensor_name='sensor2', since if i remember well the "acid" schema
will use that to identify
last_cid and you could run into sync trouble if you run two sensor who
use the same event counter.
On the other hand as i stated i am not sure i undersand completly your
ultimate goal beside probably
using a database on a separate system, if thats so then you should
update both barnyard config to
point to your new database and from there restart barnyard and it
should be logging to the "centralized" database.
More information about the Snort-users