[Bro] NSQ plugin getting deprecated in 2.5
Daniel Guerra
daniel.guerra69 at gmail.com
Tue Sep 13 00:45:49 PDT 2016
Hi Munroe,
Too bad its deprecate. There is a running docker example
https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ <https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/>
In the new repo the best way to it would be using the kafka plugin.
From kafka you can use an elasticsearch river.
Regards,
Daniel
> On 12 Sep 2016, at 22:46, Munroe Sollog <mus3 at lehigh.edu> wrote:
>
> I saw a notice in the 2.5 release notes and I read through the June ’16 conversation about the elasticsearch plugin. I wanted to add my $0.02. For people whom are trying to analyze large traffic flows it becomes imperative to not rely on the disk subsystem for transport. Our current flow looks like:
>
> Bro -> NSQ -> Logstash-> ElasticSearch
>
> We tried to use the Redis plugin first but it was not built in a way that makes it possible to use with Logstash (I have two or three open issues on github). Moving to NSQ was the only way we could really deploy the service. I’m open to switching to a different messaging broker, but I think it is a bit over-ambitious to deprecate a plugin that works perfectly well (for NSQ at least) without having a viable alternative (RELP, a better Redis plugin, a dedicated NSQ plugin).
>
> Thanks
> - Munroe
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160913/f87b4401/attachment.html
More information about the Bro
mailing list