Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Problem with MYSQL/ACID And Large Database

From: "Maynard, Jeff S." <Jeff.Maynard () banctec com>
Date: Mon, 3 Mar 2003 13:50:37 -0600
I am running the sensor on a dedicated machine and the DB an another
dedicated machine.  The DB server is a Dell PowerEdge 2200 with 512K and
dual 233's.  While not the best box around, it should be able to handle the
load.  The problem seems to be when I get around 70,000 alerts.  I ran a
select statement with just select count(*) from acid_alert and it took 7.5
hours to return 86,000.  I have sense truncated the table and have started
to clean up the alerts.  I will also stat archiving to another database on
the same server.  Hopefully this will help. 

Thanks to everyone for all the great advice.  I am just going to have to
spend more time tuning and watching the database size.

-----Original Message-----
From: Pacheco, Michael F. [mailto:MPacheco () elcom com] 
Sent: Monday, March 03, 2003 1:07 PM
To: 'Paul Schmehl'
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Problem with MYSQL/ACID And Large Database


As you mentioned, its hardware driven, I'm running my distributed setup on
converted desktops, I only have 2 real server platforms and I dedicated them
to the sensors themselves - so I got a good number of desktops from a
division closure and distribute the load across as many as possible.  If I
had a real server asset then you are correct, a larger db should not affect
the performance of ACID that much.

But if is a big word, if I only had the proper assets comes to mind.

My 2 cents...

Mike


-----Original Message-----
From: Paul Schmehl [mailto:pauls () utdallas edu] 
Sent: Monday, March 03, 2003 1:42 PM
To: Pacheco, Michael F.
Cc: 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] Problem with MYSQL/ACID And Large Database

On Mon, 2003-03-03 at 09:28, Pacheco, Michael F. wrote:


Of course this is workstation related, if your carrying 30k plus 
alerts in your MySQL db instance then you really need to set up an 
archive instance off the primary db server - but that's a different 
story.


Seriously?  30k?  I keep about 300,000 events in the acid_events table and
performance is fine.  When it got over 1,000,000, *then* it was unacceptably
slow, but 300,000 is no problem at all.

I think this number depends on the hardware you're running on and how well
you've set things up.

-- 
Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas http://www.utdallas.edu/~pauls/ AVIEN
Founding Member


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf _______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: