[Bro-Dev] DataSeries for Bro
martin.arlitt at ucalgary.ca
Fri Oct 22 15:44:37 PDT 2010
the technical report is now available at:
The work has more focus on Apache than Bro, primarily because I couldn't
get Sergey access to Bro on a production network. However, he did
integrate DataSeries with Bro and ran some tests. I think his work does
show that DataSeries has clear benefits for log collection and analysis
with these types of applications.
There is at least one thing we would do differently if we started over
again, and that is to use an in-memory buffer for log entries before
writing an extent to disk. Sergey used a temporary file because he was
concerned about messing up Apache's memory management, and then followed
the same approach when he added DataSeries logging to Bro. Obviously for
those familiar with the Bro source, this shouldn't be an issue.
if you or anyone else has questions about this, please let me know.
More information about the bro-dev