[Bro] Bro Digest, Vol 126, Issue 56
John Edwards
jedwards2728 at gmail.com
Tue Nov 1 03:49:53 PDT 2016
All resolved now, i noticed the cronjob was in place for broctl tasks and
also even though i configured the node.cfg back from a cluster to a
standalone instance and re-ran deploy it had PID's for both standalone and
clustered processes. So i rebooted the system and it was logging and
gzipping in the json output i want and now consuming a lot less resources
and disk on our SIEM. ASCII had a 3:1 compression ratio of inflation! so
json is much more efficient use of space
On Tue, Nov 1, 2016 at 6:00 AM, <bro-request at bro.org> wrote:
> Send Bro mailing list submissions to
> bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at bro.org
>
> You can reach the person managing the list at
> bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. bro logging gzip (erik clark)
> 2. Re: bro logging gzip (John Edwards)
> 3. af_packet/pf_ring equivalency (erik clark)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 31 Oct 2016 08:02:11 -0400
> From: erik clark <philosnef at gmail.com>
> Subject: [Bro] bro logging gzip
> To: jedwards2728 at gmail.com, bro at bro.org
> Message-ID:
> <CAK6atxrrDS8hF9QjWdB4f-V6W9msjwY0a+PXzVYdFMmafM+5JA@
> mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> broctl cron cronjob? Pretty sure this is what controls rollover and
> compression.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20161031/b59e71cb/attachment-0001.html
>
> ------------------------------
>
> Message: 2
> Date: Mon, 31 Oct 2016 23:05:03 +1100
> From: John Edwards <jedwards2728 at gmail.com>
> Subject: Re: [Bro] bro logging gzip
> To: erik clark <philosnef at gmail.com>
> Cc: bro at bro.org
> Message-ID:
> <CAAcg0e+8LDPYEu8xSFAe6bXfUcsMdduJdQ1wo
> JC9O4eLwG3c1Q at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Oh I just found that 10 minutes ago. I overlooked it as I have built two
> standalone systems and just forgot about cron. Then you emailed :) thanks
> for reminding me
>
> On Monday, 31 October 2016, erik clark <philosnef at gmail.com> wrote:
>
> > broctl cron cronjob? Pretty sure this is what controls rollover and
> > compression.
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20161031/209deb54/attachment-0001.html
>
> ------------------------------
>
> Message: 3
> Date: Mon, 31 Oct 2016 12:38:22 -0400
> From: erik clark <philosnef at gmail.com>
> Subject: [Bro] af_packet/pf_ring equivalency
> To: bro at bro.org
> Message-ID:
> <CAK6atxp_rmpg+aLQDN_dhJCOCg-7JebhZZn0u2EJFYgCZSuA0Q at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I am using pf_ring with pfcount to do traffic analysis (pps/throughput)
> since it is very reliable.
>
> Does af_packet have an equivalent for this? I dont want to use broctl
> capstats unless there is absolutely no other option.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/
> 20161031/ee8dd1ed/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 126, Issue 56
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161101/2c9129b4/attachment.html
More information about the Bro
mailing list