[Bro] Real-time reporting from multiple sensors to multiple analysis points
Osama Elnaggar
oelnaggar04 at gmail.com
Mon Jul 3 22:29:52 PDT 2017
You can also have a look at lsyncd (https://github.com/axkibe/lsyncd) which
is a synching daemon that uses rsync in the background. By default, lsyncd
triggers copying when the file is closed but you can change this behavior
by modifying the inotifyMode option -
https://axkibe.github.io/lsyncd/manual/config/file/
--
Osama Elnaggar
On July 4, 2017 at 5:35:34 AM, Azoff, Justin S (jazoff at illinois.edu) wrote:
> On Jul 3, 2017, at 6:51 AM, Marcin Nawrocki <marcin.nawrocki at fu-berlin.de>
wrote:
>
> Dear bro mailing list,
>
>
> I have a question regarding the configuration of bro and its real-time
> reporting features.
>
> Right now, I have two sensors (s1, s2), each running one bro node with
> log files rotating every hour. After the rotation, I send the files from
> each sensor to an analysis point (a1) via scp and perform my analysis
steps.
>
> My requirements changed now: I want to know what happens on the sensors
> in almost real-time. How do I send reports from (s1,s2) with a max.
> delay of 10 seconds to another analysis point (a2)? The reports can
> still reach (a1) every hour to keep the load low. My intuition tells me,
> that a very low rotation interval and scp are not the best practice here.
Based on your requirements you probably want to use something like the bro
kafka log writer, or a process running on each system like logstash that
can forward logs.
--
- Justin Azoff
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170704/dc660522/attachment-0001.html
More information about the Bro
mailing list