[Bro] Allowing only certain log types
johanna at icir.org
Thu Jun 22 12:14:15 PDT 2017
in addition to disabling log files (which you can do using
Log::disable_stream, as was already pointed out), you can start Bro in
bare mode. This will not enable any analyzers by default, you will have to
load them manually, wich can save a bit of processing.
Note however that bare mode comes with its own complications - you have to
be sure that you load everything that is required (it is easy to, for
example, forget to load the dynamic protocol detection scripts); this is
not an approach I would generally recommend.
On Tue, Jun 13, 2017 at 05:43:54PM +0300, Sherif Eldeeb wrote:
> We are planning to only use the "logging" features of Bro, and for certain
> types, on a 10G link.
> I'd appreciate pointing me to right direction to only enable (conn.log,
> dns.log, http.log and ssl.log) while disabling all the others (to save
> processing cycles and storage) for the types that we won't use/need.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro