[Bro] Get the license usage down in Splunk when indexing Bro logs
Dave Crawford
bro at pingtrip.com
Tue Jul 11 07:57:06 PDT 2017
The JSON logs will always be larger than the default tab delimited. With JSON every log event includes the "column" names versus a set of headers in he delimited format.
> On Jul 11, 2017, at 6:48 AM, Mike Eriksson <mike at swedishmike.org> wrote:
>
> Hi all,
>
> We're currently working on deploying Bro sensors to various offices and I've come to realise that the Bro logs are quite 'expensive' when it comes to Splunk licenses. To say the least.
>
> We have discussed various solutions but most of them fall down on us losing the ability to correlate events unless we shift all the logs in to Splunk.
>
> At the moment we're running it pretty much 'out of the box' so we can save some GB's per day to turn of certain scripts, but it will probably not be enough.
>
> Someone mentioned that turning on JSON logging instead of the standard logging on Bro could save considerable amounts of space on your SIEM. Have any of you guys tested this and can you back that statement up?
>
> I was hoping that someone else had encountered this before and had come up with some solution(s) to this issue?
>
> Thanks in advance, Mike
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list