[Snort-users] Where's Waldo?
allowoverride at ...11827...
Thu Oct 11 20:05:27 EDT 2012
thanks! thats a great answer, just what i am waiting to hear. good job.
keep it up :)
On Thu, 2012-10-11 at 18:02 -0400, beenph wrote:
> On Thu, Oct 11, 2012 at 5:13 PM, Paul Schmehl <pschmehl_lists at ...14358...> wrote:
> > --On October 11, 2012 8:58:12 PM +0100 Peter Bates <peter.bates at ...15381...>
> > wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >> Hello all
> >> On 11/10/2012 20:29, AllowOverride wrote:
> >>> just a test, i will clear tables, and close browser, come back in 1
> >>> hour increments, and see if that is the issue, it takes an hour to
> >>> input new data after base clear table buttons have cleared. im
> >>> assume there is a switch in the configs to make it quicker.
> >> I've never personally looked for the option to clear tables in BASE
> >> but I can say I use a script called archivesnort.pl which moves alerts
> >> after 7 days to the archive DB and deletes them after 30.
> The condition mentioned earlyer by Waldo Kitty is called "backlog"
> Backlog is a state is a state where you are receiving/generating alot
> of unified2 event,
> so mutch that even if barnyard2 is reading them its not outputing them
> fast enough.
> That state was easily observable with barnyard2 2-1.9 if you where
> outputing to database on a busy database
> or high latency link because of the way that the original port for the
> database output was written.
> Generating 1 query for every table and querying signatures tables at
> every event.
> The rewrite of 2-1.10 database output plugin was mainly done to
> address that issue and others but now events
> are written in a single block and signature query are done only if the
> signature was not already in cache. The minimum
> insert throughtput performance has been by 8 to 10 fold if not more
> in some cases.
> So if you observe backlog on 2-1.10 i would be interested known things like:
> 1) what is your backend dbms
> 2) whats the network latency betwen your barnyard2 node
> 3) how many events/second you are generating.
> I hope this shed some light on previous observation done by the concerned party.
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
More information about the Snort-users