[Bro] Splunk or ELK to parse Bro logs
Joe Blow
blackhole.em at gmail.com
Mon Feb 20 05:43:59 PST 2017
You could just change the JVM you're using elasticsearch/logstash on to
only allocate 1GB of RAM. On that VM if you give it 2.5GB of RAM, then
only 1GB of it will be used by your Elasticsearch install. The rest will
be used by the OS (disk cache) and logstash.
In CentOS land, you'd make your /etc/sysconfig/elasticsearch file say this:
ES_HEAP_SIZE=1g
Cheers,
JB
On Mon, Feb 20, 2017 at 4:25 AM, C. L. Martinez <carlopmart at gmail.com>
wrote:
> Hi all,
>
> I would like to do some tests and deploy rules using Bro under my laptop
> test lab. Due to limited resources, I would like to install some log parser
> tool for Bro like Splunk or ELK.
>
> In the past, I have used Splunk and goes very well for my needs. But
> doing some searches, I am finding more docs about using ELK with Bro than
> using Splunk.
>
> But I don't see how can I limit resources assigned to an ELK
> infrastructure to suit my needs (I can't assign more than 2.5 GB of RAM to
> vm where I will install splunk or elk or another solution).
>
> I don't expect a lot of logs per day or hour from Bro's side (in fact, I
> expect very few), but i don't see pretty clear what solution to use.
>
> What are your opinions or recommendations?
>
> Many thanks to all.
>
> --
> Greetings,
> C. L. Martinez
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170220/9fe96c26/attachment.html
More information about the Bro
mailing list