Re: [Snort-users] Performance Question
This is a discussion on Re: [Snort-users] Performance Question within the Snort forums, part of the System Security and Security Related category; --- Martin_Bündgens <mb@insidetheweb.de> wrote: > Hallo, > > i installed Snort 2.01 as SuSE 9 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-20-2004
|
|||
|
|||
Re: [Snort-users] Performance Question
--- Martin_Bündgens <mb@insidetheweb.de> wrote: > Hallo, > > i installed Snort 2.01 as SuSE 9 RPM. The programm itself logs > all rule > faults in /var/log/snort as complete snort.log + creates for > all ips an > extra folder inclusive the fault message as single file from > the ip. > > My first question, is this a common option that snorts creates > an extra > folder for all ips ? > If not, how to deactivate it. > > Second question, can these tons of folders/files (about > 2000-5000) can > effect the server performance ? > > I don`t think so, but one person from our data center insists > on that the > "snort" logging process > is the problem for high loads in combination with logrotate. > > Thanks for your time. > > Regards, > Martin Bündens > 1. This is a default behavior that you can turn off with the -N switch. 2. There are 3 major ways to measure server performance (IMO, don't fillet me plz): CPU, Memory and disk I/O. This logging to disk will hurt you on disk I/O. Screw around with vmstat and see if your disk is the biggest bottleneck. They can take up a lot of room too and gzipping a 250 meg file on a production box is no fun either, can peg the CPU some which may be what your data center buddy is talking about. If so tell him to renice the proc for starters. I don't personally find this structure to be very helpful but some people use the info for homegrown shell or perl scripts. It's up to you. ===== ----------------------------------------------------------- With a few exceptions, secrecy is deeply incompatible with democracy and with science. --Carl Sagan ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! Mail SpamGuard - Read only the mail you want. http://antispam.yahoo.com/tools ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
