Logging to a File Quickly

Table of contents:

Problem

You want to increase the speed of logging your output to a file.

Solution

Edit the /etc/snort.conf file to use unified logging:

output alert_unified: filename snort.alert, limit 128

output log_unified: filename snort.log, limit 128

 

Discussion

Unified logging uses a Snort output plug-in to reduce the load on the Snort processing engine. To enable unified logging, you must uncomment and configure the following output plug-ins in the /etc/snort.conf file:

# unified: Snort unified binary format alerting and logging

# -------------------------------------------------------------

# The unified output plugin provides two new formats for logging and 

# generating alerts from Snort, the "unified" format. The unified 

# format is a straight binary format for logging data out of Snort 

# that is designed to be fast and efficient. Used with barnyard (the 

# new alert/log processor), most of the overhead for logging and 

# alerting to various slow storage mechanisms such as databases or the

# network can now be avoided.

#

# Check out the spo_unified.h file for the data formats.

#

# Two arguments are supported.

# filename - base filename to write to (current time_t is appended)

# limit - maximum size of spool file in MB (default: 128)

#

output alert_unified: filename snort.alert, limit 128

output log_unified: filename snort.log, limit 128

Both the filename and file size limit parameters are configurable. Unified logs have a varying number assigned to them after the .alert and .log filename extensions. In our example, running Snort with the following command-line options created the unified logging files snort.alert.1086463191 and snort.log.1086463191 in the C:Snortlog directory:

C:Snortin> snort -l c:snortlog -c c:snortetcsnort.conf

If you're using Snort on a very high-speed network, such as 1Gbps or greater, you benefit from unified logging. This allows the Snort engine to write logs and alerts quickly to a binary file, while offloading the spooling and processing to another program. Offloading the processing of the logs and alerts means that Snort can spend more time capturing data, thus decreasing the likelihood that packets are dropped. You must use a unified log reader, such as Barnyard, to process the logfiles.

See Also

Recipe 5.9

Logging Only Alerts

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net