Disk Usage

From NSMWiki
Jump to: navigation, search

Sguil differentiates itself from Web-based alert browsers and many other "IDS" products by not simply being an interface to Snort alerts. Most Sguil installations collect session data with SANCP and full content data with a second instance of Snort or another tool like Daemonlogger. As a result, default Sguil installations require much more disk space than what new users consider to be normal for detection operations.

The purpose of this section of the NSM Wiki is to let users share their disk usage experiences. This will help guide partitioning and storage requirements for those trying to build and maintain NSM sensors.

Some sites use individual local disks to store traffic on very low-volume installations, though most disks cannot stand up well to the sheer amount of I/O and tend to fail pretty quickly. Many sites use RAID arrays to increase storage space and spread the I/O load over many disks, and this seems to work well. You might also be interested in a SAN solution (but read this note first).