[Bro] ElasticSearch plugin
Joe Blow
blackhole.em at gmail.com
Mon Jun 13 11:35:04 PDT 2016
I hate sucking IOPs out of my boxes if i can help it... Is there no clean
way to write directly to rsyslog? I can crank the allowable message size
up fairly large, and then either write directly to a local file, or simply
ship off box.
Writing to a file, only to immediately tail that file seems a bit clunky if
you ask me, but what do I know :).
Thoughts?
Cheers,
JB
On Mon, Jun 13, 2016 at 2:31 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jun 13, 2016, at 1:28 PM, Joe Blow <blackhole.em at gmail.com> wrote:
> >
> > I use it a whole bunch, but it is quite clunky...
> >
> > Part of me wishes bro would just write JSON to syslog, so that we could
> use the native rsyslog queuing and output modules (much more widely
> supported).
> >
> > Any chance that could be easily implemented?
> >
> > Cheers,
> >
> > JB
>
> You can tell bro to write to the json logs as usual, and then use rsyslog
> with the imfile module.
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160613/61ab5564/attachment.html
More information about the Bro
mailing list