[Bro] Splunk or ELK to parse Bro logs
Collyer, Jeffrey W. (jwc3f)
jwc3f at virginia.edu
Mon Feb 20 07:50:57 PST 2017
For Splunk I’ve had good luck with logging to JSON format and using this TA
https://github.com/jahshuah/splunk-ta-bro-json <https://github.com/jahshuah/splunk-ta-bro-json>
Jeffrey Collyer
> On Feb 20, 2017, at 4:41 AM, C. L. Martinez <carlopmart at gmail.com> wrote:
>
> Hi all,
>
> I would like to do some tests and deploy rules using Bro under my laptop test lab. Due to limited resources, I would like to install some log parser tool for Bro like Splunk or ELK.
>
> In the past, I have used Splunk and goes very well for my needs. But doing some searches, I am finding more docs about using ELK with Bro than using Splunk.
>
> But I don't see how can I limit resources assigned to an ELK infrastructure to suit my needs (I can't assign more than 2.5 GB of RAM to vm where I will install splunk or elk or another solution).
>
> I don't expect a lot of logs per day or hour from Bro's side (in fact, I expect very few), but i don't see pretty clear what solution to use.
>
> What are your opinions or recommendations?
>
> Many thanks to all.
>
> --
> Greetings,
> C. L. Martinez
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170220/d54d8db5/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4939 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170220/d54d8db5/attachment.bin
More information about the Bro
mailing list