:: This happens with a db that has ~60k events in it. I recently (yesterday)
:: deleted ~1M rows but after that the tables were optimized. I'm trying to
:: get to the point where I archive on a regular basis - part of that process
:: invloves searching, which is where I'm stuck now :-).

How long does it take for the search page to come up (even in a partial
state)? How big is the Snort data table on your disk? I've seen problems
with ACID where you try to remove old alerts, but it only removes the alert
entry from the acid_alert table, not the data table. As such, when I
thought I was cleaning out old stuff I really had a data table that wasn't
getting cleaned out.

This data inconsistentcy that seems to present itself with large tables is
fairly worrisome which is why I'm writing a small DBI script to remove old
alerts entirely.

Cheers - Erick

-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]