Snort mailing list archives
Re: Multiple sensors one database
From: beenph <beenph () gmail com>
Date: Tue, 12 Apr 2011 21:33:55 -0400
On Tue, Apr 12, 2011 at 5:03 PM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:
Good afternoon, We are running two snort devices and attempting to get them both to record to one mysql database. Created database snort. Assigned permissions to sensor1@10.10.10.10 and sensor2@10.10.10.11. I installed Snort 2.9.0.5 schema so that databases would all look the same. Yes, I did have a single mysql database on each sensor but was told in that in order to run a particular Application, I would need a single database. We are using Snort 2.9.0.5 on Ubuntu 10.04.01 LTS. We are using Barnyard2. In the Barnyard2.conf file, we have an entry, “output database: log, mysql, user=snort password=snortpass dbname=snort host=10.10.12.1 sensor_name='sensor1’ and have an identical entry for the second sensor. I have not made any configuration changes the my.cnf. It currently binds to 127.0.0.1 but should I have it bind to the Master # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 10.10.12.1 Is there anywhere else I need to check? Do I need to shutdown mysql on each sensor now? Thank you Dwane
I am not sure i clearly understand your statement, but on your second sensor you should have sensor_name='sensor2', since if i remember well the "acid" schema will use that to identify last_cid and you could run into sync trouble if you run two sensor who use the same event counter. On the other hand as i stated i am not sure i undersand completly your ultimate goal beside probably using a database on a separate system, if thats so then you should update both barnyard config to point to your new database and from there restart barnyard and it should be logging to the "centralized" database. -elz ------------------------------------------------------------------------------ Forrester Wave Report - Recovery time is now measured in hours and minutes not days. Key insights are discussed in the 2010 Forrester Wave Report as part of an in-depth evaluation of disaster recovery service providers. Forrester found the best-in-class provider in terms of services and vision. Read this report now! http://p.sf.net/sfu/ibm-webcastpromo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database beenph (Apr 12)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 13)
- Re: Multiple sensors one database beenph (Apr 13)
- Re: Multiple sensors one database Atkins, Dwane P (Apr 12)
- Re: Multiple sensors one database beenph (Apr 12)