Snort mailing list archives
Re: Centrally controlled log management server
From: Bennett Todd <bet () rahul net>
Date: Wed, 19 Feb 2003 10:00:10 -0500
2003-02-18T19:23:26 Perrymon, Josh L.:
I have 20 500mhz boxes to install snort on...
Should be Ok, as long as you aren't trying to sniff heavily-loaded 100BaseT or anything. Unless the boxes have loads of RAM (I'd recommend at least 512MB) you may want to disable the conversation and portscan2 preprocessors, they climb all over RAM.
What do you guys do/ suggest for central management of logs... I've noticed several appliances BUT I would like good old *nix to handle it.
The good old *nix way to handle it is to tell snort to send its alerts with syslog, and arrange for your syslog.conf to forward them on to your central logserver. This however leaves you without the most sophisticated snort-specific tools for event analysis (like ACID); they want to work off different formats. If you want to track the main snort developments for enterprise IDS, look into barnyard forwarding into MySQL. If on the other hand you're willing to craft your own analytic logic to grovel the logfiles (perhaps building on syslog-whacking tools people have already written) or to purchase a commercial logfile-groveller (the big ones I've looked at have snort support) then there are definite advantages to the syslog forwarding strategy. It's very lightweight and efficient, and in the event of an overload (someone taking an IDS DoS tool to your sensor) the deluge is simply dropped, rather than propogating the DoS downstream into your analytic system or your helpdesk or whatever is the chokepoint. -Bennett
Attachment:
_bin
Description:
Current thread:
- Centrally controlled log management server Perrymon, Josh L. (Feb 18)
- Re: Centrally controlled log management server Bennett Todd (Feb 19)