Disk Usage

From NSMWiki
Revision as of 07:49, 23 August 2007 by Bianco (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Sguil differentiates itself from Web-based alert browsers and many other "IDS" products by not simply being an interface to Snort alerts. Most Sguil installations collect session data with SANCP and full content data with a second instance of Snort or another tool like Daemonlogger. As a result, default Sguil installations require much more disk space than what new users consider to be normal for detection operations.

The purpose of this section of the NSM Wiki is to let users share their disk usage experiences. This will help guide partitioning and storage requirements for those trying to build and maintain NSM sensors.

Some sites use individual local disks to store traffic on very low-volume installations, though most disks cannot stand up well to the sheer amount of I/O and tend to fail pretty quickly. Many sites use RAID arrays to increase storage space and spread the I/O load over many disks, and this seems to work well. You might also be interested in a SAN solution (but read this note first).