Scott Pack

Asked: 2012-06-12 12:10:28 +0800 CST2012-06-12 12:10:28 +0800 CST 2012-06-12 12:10:28 +0800 CST

Implications of unified2 logging with multiple instances of snort

I am beginning to migrate my snort logging from alert_syslog to unified2 using barnyard2 as the processor. In some cases I have multiple instances of snort running on the same system. Since I have historically used syslog, it handled the multiple log input without problem, however with the switch to unified2 I am concerned about write collisions.

Currently, I am using the same snort.conf for each instance, and managing the separate instances in /etc/sysconfig/snort. Primarily for simplicity of configuration, and partially for development time on my part, I would like to be able to maintain the same snort.conf. Which, of course, means having all instances writing to the same unified log file.

I am concerned about write collisions as multiple processes attempt to write to the same file. Is this a known safe approach with snort? Are the write methods used by the unified2 output processor thread safe? Can anyone comment on the likelihood of total protonic reversal by doing this?

Implications of unified2 logging with multiple instances of snort

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

Implications of unified2 logging with multiple instances of snort

0 Answers