Another possible consideration, independent of a particular database's capability, is to use a port wrapper such as stunnel to encrypt communication.
Snort can log to multiple output plugin for a given event. The proper way to support multiple output targets is to specify the configurations of all output plugins in the snort configuration file.
For example, to log to both syslog and a database the directives
output alert_syslog and output database should
be used in the configuration file.
In the case of text file and database logging, the directives
output alert_fast or output alert_full
(depending on the level of detail desired in the text files) and
output database should be used.
The most common problem with logging to the database and other
targets (e.g., syslog or text files) is the mixing of command line
logging options such as -A or -s with logging
configurations specified in the config file. Command line
logging options always override any setting specified in the configuration file.
Hence, database logging will not occur if any command-line logging
options are specified. In this case, snort will produce the following error:
WARNING: command line overrides rules file alert plugin!
Note: There is a known issue of using domains sockets when logging to multiple PostgreSQL databases. Use TCP/IP logging for this configuration.
"sensor_name" parameter
in the database plugin configuration. Explicitly naming (with a unique value) each
instance of snort via the sensor_name parameter
will overrides the default naming algorithm which would otherwise give the
multiple instances of snort the same sensor ID (name). Without a unique sensor ID,
certain writes into the database would fail because there would be duplicate key issue.