[Bro] elastic search / bro questions

Joe Blow blackhole.em at gmail.com
Thu Nov 6 16:54:13 PST 2014


Hey all,

Just going to throw this out there and hope some people are willing to
potentially share some learning experiences if they have any.

We have a system which generates around 15k-30k BRO events/sec and are
trying to ingest these logs into a fairly beefy elasticsearch cluster.
Total cluster memory ~300GB, storage ~300TB.

Long story short, we're having some problems keeping up with this feed.
Does anyone have any performance tuning with this module?  I've played a
lot with rsyslog batch sizes with elasticsearch and was hoping there would
be some simple directive i could try and apply to BRO.

Does anyone have this experience here?  Does this module batch anything?

Thanks in advance.

Cheers,

JB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141106/75a47e43/attachment.html 


More information about the Bro mailing list