[Bro] Get the license usage down in Splunk when indexing Bro logs

Mike Eriksson mike at swedishmike.org
Tue Jul 11 03:48:24 PDT 2017

Hi all,

We're currently working on deploying Bro sensors to various offices and
I've come to realise that the Bro logs are quite 'expensive' when it comes
to Splunk licenses. To say the least.

We have discussed various solutions but most of them fall down on us losing
the ability to correlate events unless we shift all the logs in to Splunk.

At the moment we're running it pretty much 'out of the box' so we can save
some GB's per day to turn of certain scripts, but it will probably not be

Someone mentioned that turning on JSON logging instead of the standard
logging on Bro could save considerable amounts of space on your SIEM. Have
any of you guys tested this and can you back that  statement up?

I was hoping that someone else had encountered this before and had come up
with some solution(s) to this issue?

Thanks in advance, Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170711/a7427f9b/attachment-0001.html 

More information about the Bro mailing list