Re: Disable local logging

[Guillaume <guillaume () anteria fr>]

En réponse à Frank Reid <fcreid () ourcorner org>:

> Is there a way to disable local logging (to /var/log/snort) entirely,
> or does that break normal operations?  (It may be something simple in
> snort.conf, but I can't find it.)  On my active sensors, I've found the
> log directory fills up quickly to a point where Snort can no longer add
> directory entries.  It may be unrelated, but it also appears Snort
> occasionally stops reporting upstream to the MySQL database under
> heavy traffic volume.  The Snort process doesn't die on the sensor, so the
> demarc wrapper does not know to restart it.

I also noticed that: I use MySQL output plugin, but snort does log some stuff
under /var/log/snort although. I think (but it is perfectly empiric!) that when
too heavyly stressed, MySQL timeouts make snort logging locally. Maybe a MySQL
related issue...

Anyway, I planned to switch from direct MySQL logging to some kind of
post-log-processing (i.e. alerts locally logged and periodically extracted and
sent to the MySQL db by some PERL script).

Guillaume

***********************************
Sent with HORDE/IMP (www.horde.org)

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users