[Bro] ElasticSearch plugin

Seth Hall seth at icir.org
Tue Jun 14 09:30:26 PDT 2016


> On Jun 14, 2016, at 10:04 AM, Vlad Grigorescu <vladg at illinois.edu> wrote:
> 
> I think we should be a bit cautious here. Let's not forget that this is
> really an ElasticSearch and NSQ writer. I've had very good success with
> NSQ at high rate, so I don't really see much value to the second
> argument.

Are you proposing that you'll take over responsibility for the module?

I think it would make sense to have a separate NSQ module too if you find value in that.  That way if/when ES or NSQ specific tweaks (or other HTTP-based outputs) come into play we aren't creating a mess of various configuration options in a single module.

> I think the better solution would simply be to make the record separator
> redef-able in the formatter. I can *maybe* see the argument for using
> '.' instead of '$' in the ASCII logs, but since the other separators are
> user-definable, I think this one should be as well.

This already exists in topic/seth/log-framework-ext and hopefully will be getting merged soon along with some other logging framework changes I did recently.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160614/af1a9775/attachment.bin 


More information about the Bro mailing list