[Bro] elastic search / bro questions

Seth Hall seth at icir.org
Mon Nov 10 07:05:16 PST 2014


> On Nov 10, 2014, at 9:46 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> 
> My question is this.  Many of these ES issues appear that they can be alleviated if we were shoving all of the bro logs into 'bro-YYYYmmddHHMM', instead of some there, and some in the giant 'bro' index.  Is there any reason why we can't force all of the ES logging into the time based indicies instead of the one giant bro index?  Would anyone know where to start hacking the BRO code to try and make this possible?

Are you processing tracefiles?  If you are processing live traffic from an interface it should already be sharding into indexes like you want.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list