Choosing the Database System

KFSensor can store events in an SQL database.

The KFSensor Reports module relies on a SQL database to analyse the data and therefore it is a requirement to set up a database to enable the KFSensor Reports.

Using a database also improves performance of the monitor.

SQL Database is optional

The use of a SQL database is optional. KFSensor always records events into XML files, which it stores on the local machine. The only part of KFSensor that relies on a database is the KFSensor Reports module and while very useful that module is not essential to the system.

It may be best not to use a database in the following situations.

  • When running a Sensor in the Enterprise Edition
    Logs from sensors are collated and added to a central database server, so there is no need to configure a sensor to write to a database directly.
  • When running on a low specification machine.
    KFSensor will run well with a small resource requirements on its own. Using a database will add to the host requirements.
  • When evaluating KFSensor
    KFSensor can be used as soon as it is installed, but configuring KFSensor to use a database takes time to set up. It is always possible to add a database to the system later on.

Which SQL database to use

KFSensor supports two database systems; Microsoft SQL Server and MySQL.

SQL Server Express is suitable for all but the largest deployments of KFSensor. It is free and is the most popular option amongst KFSensor users.

Where to install the SQL database

The database server maybe installed on:

  • A database installed on the local host with KFSensor
    Using the same host machine is the simplest way of setting up the system.
  • A database installed on a remote host
    Using a remote host offers better performance and allows KFSensor to share a database server with other applications. This is the most cost effective configuration if one of the full paid for SQL Server editions is being used.

There are issues with both the local and remote deployment options that require additional configuration steps to resolve. These are described fully in the next section, but they may affect your choice of option, so there are summarised here.

  • A database installed on the local host with KFSensor
    Database servers are a popular target for attackers and should not accessible from outside the honeypot host. KFSensor simulates both SQL Server and MySQL to monitor attacks in a secure way. Having a real database server on the same machine requires additional configuration to make it secure and to prevent KFSensor from using the same port.
  • A database installed on a remote host
    Configuring the database security to allow access for KFSensor to use the database can be complicated and require domain level admin rights to complete the configuration.

Next: Configuring the Database

KFSensor On-Line Manual Contents