[Bro] Couple elasticsearch questions

Seth Hall seth at icir.org
Wed Jul 23 12:44:00 PDT 2014

On Jul 23, 2014, at 1:11 PM, Hosom, Stephen M <hosom at battelle.org> wrote:

> How does Bro handle indexes within ES? Does it rotate indexes, or does it write to one extremely large index with TTLs?

Right now we're handling indexes with Bro log rotation.  The logs-to-elasticsearch script sets a log rotation interval of 3 hours so you'll have a new index created every three hours.  Bro is also not doing anything to clean up old indexes so you'll have to do that on your own.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140723/cd28914a/attachment.bin 

More information about the Bro mailing list