[Bro] Get the license usage down in Splunk when indexing Bro logs

[Slagell, Adam J]

Well if you are collecting net flows and conn.logs, you could get rid of one. If you are recapturing syslogs with Bro and sending them to Splunk, you could trim duplication there. If you are finding a ton of certificate information in your bro logs, you might realize some cost savings there. But I don’t have much advice beyond don’t send the same info twice and look for large amounts of data that you don’t really use in Splunk, like maybe certificates.


> On Jul 11, 2017, at 5:48 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> 
> Hi all,
> 
> We're currently working on deploying Bro sensors to various offices and I've come to realise that the Bro logs are quite 'expensive' when it comes to Splunk licenses. To say the least.
> 
> We have discussed various solutions but most of them fall down on us losing the ability to correlate events unless we shift all the logs in to Splunk. 
> 
> At the moment we're running it pretty much 'out of the box' so we can save some GB's per day to turn of certain scripts, but it will probably not be enough.
> 
> Someone mentioned that turning on JSON logging instead of the standard logging on Bro could save considerable amounts of space on your SIEM. Have any of you guys tested this and can you back that  statement up?
> 
> I was hoping that someone else had encountered this before and had come up with some solution(s) to this issue? 
> 
> Thanks in advance, Mike
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro