[Bro] Get the license usage down in Splunk when indexing Bro logs

Mike Eriksson mike at swedishmike.org
Wed Jul 12 02:07:59 PDT 2017


I've been looking at the various ways of dropping the S0 connections from
the outside but haven't found a simple way of doing this. My Google-Fu
seems to have abandoned me, hopefully just temporarily.

Would you mind sharing some examples on how you and your organisation
implemented this?

Cheers, Mike

On Tue, Jul 11, 2017 at 6:41 PM Hosom, Stephen M <hosom at battelle.org> wrote:

> Some people choose to implement Bro log filters that can result in a
> significant reduction in log volume. For example, if you filter all S0
> connections originating from outside of your organization (and you also
> happen to listen outside of a firewall) this could reduce a substantial
> amount of log volume.
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
> Slagell, Adam J
> Sent: Tuesday, July 11, 2017 11:03 AM
> To: Mike Eriksson <mike at swedishmike.org>
> Cc: bro at bro.org
> Subject: Re: [Bro] Get the license usage down in Splunk when indexing Bro
> logs
> Message received from outside the Battelle network. Carefully examine it
> before you open any links or attachments.
> Well if you are collecting net flows and conn.logs, you could get rid of
> one. If you are recapturing syslogs with Bro and sending them to Splunk,
> you could trim duplication there. If you are finding a ton of certificate
> information in your bro logs, you might realize some cost savings there.
> But I don’t have much advice beyond don’t send the same info twice and look
> for large amounts of data that you don’t really use in Splunk, like maybe
> certificates.
> > On Jul 11, 2017, at 5:48 AM, Mike Eriksson <mike at swedishmike.org> wrote:
> >
> > Hi all,
> >
> > We're currently working on deploying Bro sensors to various offices and
> I've come to realise that the Bro logs are quite 'expensive' when it comes
> to Splunk licenses. To say the least.
> >
> > We have discussed various solutions but most of them fall down on us
> losing the ability to correlate events unless we shift all the logs in to
> Splunk.
> >
> > At the moment we're running it pretty much 'out of the box' so we can
> save some GB's per day to turn of certain scripts, but it will probably not
> be enough.
> >
> > Someone mentioned that turning on JSON logging instead of the standard
> logging on Bro could save considerable amounts of space on your SIEM. Have
> any of you guys tested this and can you back that  statement up?
> >
> > I was hoping that someone else had encountered this before and had come
> up with some solution(s) to this issue?
> >
> > Thanks in advance, Mike
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170712/bb126f45/attachment.html 

More information about the Bro mailing list