[Bro] Exporting bro alarms and notices

Martin Holste mcholste at gmail.com
Thu Nov 10 09:17:40 PST 2011


> No DB interface right now but the new 2.0 logging framework does allow
> to plugin different logging backends. Currently, we only have the
> ASCII writer that produces the *.log file you're seeing, but binary
> output and DB writers are planned. In fact, there's already a patch in
> the tracker adding CouchDB support:
>

Careful on the CouchDB stuff: the write performance is atrocious over
a sustained period.  I couldn't get a single-node install to receive
more than a few hundred events per second.  MongoDB will give you a
sustained few thousand writes per second, depending on how many
indexes you've created on the collection.  Even writing JSON blobs to
any traditional database works surprisingly well for most uses,
especially if you have it write to a few key-value columns for quick
indexing.

In the near-term, as I talked about at the workshop, I'll be
announcing an official ELSA release early next week which will read
syslog and handle grepping, basic reporting, and alerting for you from
a web interface.  (I didn't get to cover alerting in the talk, but
it's fully integrated as well.  There's also a CLI interface I didn't
cover, so you can use it like bro-cut.



More information about the Bro mailing list