[Bro-Dev] Update on log management

Martin Holste mcholste at gmail.com
Wed Aug 31 10:44:20 PDT 2011


> The "normal" Bro deployment is as a cluster at this point anyway where the manager is dedicated to notice handling and logging (as you've noticed, standalone instances basically suck for anything over 80Mbps).  Also, Gilbert has been spending the summer threading the logging framework and I *think* his branch is probably close to being integrated.  We basically planned on threading the logging framework from the start for all of the reasons that you mentioned. :)
>

Cool, got it.

> The rest of the filter actually works already except for the $writer. :)

Excellent!

> We've been poking around at various people and places trying to figure out what a Bro interface would look like and do.  I suspect we aren't too far off from movement in this area, but we have no plans yet.

Ok.

> I'm hoping to have a couple of people talk about this specifically at the Bro workshop.

Yes, I'm still hoping management will let me attend.  In the meantime,
if there are any incident responders on the list who wouldn't mind
sharing with me off-list in what capacity they use Bro, it would be
appreciated!



More information about the bro-dev mailing list