[Bro] elastic search / bro questions
blackhole.em at gmail.com
Thu Nov 6 16:54:13 PST 2014
Just going to throw this out there and hope some people are willing to
potentially share some learning experiences if they have any.
We have a system which generates around 15k-30k BRO events/sec and are
trying to ingest these logs into a fairly beefy elasticsearch cluster.
Total cluster memory ~300GB, storage ~300TB.
Long story short, we're having some problems keeping up with this feed.
Does anyone have any performance tuning with this module? I've played a
lot with rsyslog batch sizes with elasticsearch and was hoping there would
be some simple directive i could try and apply to BRO.
Does anyone have this experience here? Does this module batch anything?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro