[Bro-Dev] DataSeries for Bro

Martin Arlitt martin.arlitt at ucalgary.ca
Fri Oct 22 15:44:37 PDT 2010


hi Robin

the technical report is now available at:
http://www.hpl.hp.com/techreports/2010/HPL-2010-164.html

The work has more focus on Apache than Bro, primarily because I couldn't 
get Sergey access to Bro on a production network. However, he did 
integrate DataSeries with Bro and ran some tests. I think his work does 
show that DataSeries has clear benefits for log collection and analysis 
with these types of applications.

There is at least one thing we would do differently if we started over 
again, and that is to use an in-memory buffer for log entries before 
writing an extent to disk. Sergey used a temporary file because he was 
concerned about messing up Apache's memory management, and then followed 
the same approach when he added DataSeries logging to Bro. Obviously for 
those familiar with the Bro source, this shouldn't be an issue.

if you or anyone else has questions about this, please let me know.

thanks
Martin





More information about the bro-dev mailing list