[Bro] Get the license usage down in Splunk when indexing Bro logs

Hosom, Stephen M hosom at battelle.org
Tue Jul 11 10:41:32 PDT 2017


Some people choose to implement Bro log filters that can result in a significant reduction in log volume. For example, if you filter all S0 connections originating from outside of your organization (and you also happen to listen outside of a firewall) this could reduce a substantial amount of log volume. 

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Slagell, Adam J
Sent: Tuesday, July 11, 2017 11:03 AM
To: Mike Eriksson <mike at swedishmike.org>
Cc: bro at bro.org
Subject: Re: [Bro] Get the license usage down in Splunk when indexing Bro logs

Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.

Well if you are collecting net flows and conn.logs, you could get rid of one. If you are recapturing syslogs with Bro and sending them to Splunk, you could trim duplication there. If you are finding a ton of certificate information in your bro logs, you might realize some cost savings there. But I don’t have much advice beyond don’t send the same info twice and look for large amounts of data that you don’t really use in Splunk, like maybe certificates.


> On Jul 11, 2017, at 5:48 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> 
> Hi all,
> 
> We're currently working on deploying Bro sensors to various offices and I've come to realise that the Bro logs are quite 'expensive' when it comes to Splunk licenses. To say the least.
> 
> We have discussed various solutions but most of them fall down on us losing the ability to correlate events unless we shift all the logs in to Splunk. 
> 
> At the moment we're running it pretty much 'out of the box' so we can save some GB's per day to turn of certain scripts, but it will probably not be enough.
> 
> Someone mentioned that turning on JSON logging instead of the standard logging on Bro could save considerable amounts of space on your SIEM. Have any of you guys tested this and can you back that  statement up?
> 
> I was hoping that someone else had encountered this before and had come up with some solution(s) to this issue? 
> 
> Thanks in advance, Mike
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list