Snort, unified logs, mudpit and me

[Tried to post this via the usual method, and got a strange message
from Ofcom?!]

Hi all,

I'm trying to set up what I think is "a normal" system pair:

System 1: The Snort machine (Devil)
System 2: The log processing / alerting machine (Slackware 9.x)

Having done lots and lots of reading, it seems that the unified
(binary) output is "best" (as non-unified seems to lead to problems).

[As a side note, I did look at FLoP but patching snort is not an
option due to the fact that I'm using a pre-built live-CD for system
1]

Now, it seems that I have two options on system 2 - either Barnyard or
Mudpit. Seeing as I can't get Barnyard to configure (tried MySQL 3.23,
4.017, my_connect, mysql_real_connect and all those other "fixes" to
no avail), I'm forced to use Mudpit.

As I'm sure anyone else using mudpit is aware, there isn't a whole lot
of documentation ;)

I'm currently getting my head round the Mudpit configuration, more
specifically the Spool section. The section starts like this:

# Spool configurarion. One or more spools should be configured.
# Spool definition contains the absolute path to a spool directory
# (that is, the directory containing Snort's log/alert file pair)
# and parameters for the spool processor.

Seems fair enough. In the Snort confiuration file, there is this
information:

# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128

Hm. This raises 2 questions:

1.) How does one specifiy that these two files should actually be sent
on a remote machine? In the MySQL example, it is obvious that you can
specify a host, but mudput requires the files :/

2.) As these log files need to reside on a remote system, how would
the limit work?


I may, of course, also be going along the wrong track, so any pointers
much appreciated!