[Bro] Get the license usage down in Splunk when indexing Bro logs

Joshua Buysse buysse at umn.edu
Tue Jul 11 11:55:13 PDT 2017


I think I know where Mike's misunderstanding comes from - the JSON logs are
larger original size (for license volume), but will use less space on
indexer disk than the default TSV because the extractions are search-time
instead of index-time.

On Tue, Jul 11, 2017 at 9:57 AM, Dave Crawford <bro at pingtrip.com> wrote:

>
>
> The JSON logs will always be larger than the default tab delimited. With
> JSON every log event includes the "column" names versus a set of headers in
> he delimited format.
>
> > On Jul 11, 2017, at 6:48 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> >
> > Hi all,
> >
> > We're currently working on deploying Bro sensors to various offices and
> I've come to realise that the Bro logs are quite 'expensive' when it comes
> to Splunk licenses. To say the least.
> >
> > We have discussed various solutions but most of them fall down on us
> losing the ability to correlate events unless we shift all the logs in to
> Splunk.
> >
> > At the moment we're running it pretty much 'out of the box' so we can
> save some GB's per day to turn of certain scripts, but it will probably not
> be enough.
> >
> > Someone mentioned that turning on JSON logging instead of the standard
> logging on Bro could save considerable amounts of space on your SIEM. Have
> any of you guys tested this and can you back that  statement up?
> >
> > I was hoping that someone else had encountered this before and had come
> up with some solution(s) to this issue?
> >
> > Thanks in advance, Mike
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Joshua Buysse
University of Minnesota - University Information Security

"On two occasions I have been asked, 'Pray, Mr. Babbage, if you
put into the machine wrong figures, will the right answers come
out?' I am not able rightly to apprehend the kind of confusion of
ideas that could provoke such a question."
  - Charles Babbage
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170711/b813770f/attachment.html 


More information about the Bro mailing list