[Zeek] known_*
Jon Siwek
jsiwek at corelight.com
Tue Jul 30 09:55:21 PDT 2019
On Tue, Jul 30, 2019 at 1:09 AM Palumbo Mauro <mauro.palumbo at aizoon.it> wrote:
> there are a number of scripts (known_services, known_hosts, known_certs) which are implemented both using a broker store and sending broker events. It is possible to switch from one mode to the other using the option use_service_store.
>
> Is there any particular reason for this?
Mostly due to not knowing which version better fits the common use-case.
> Is one option more efficient than the other?
No, there's two choices because there's a trade-off: using the Broker
store version is theoretically less scalable because it relies on a
single, centralized node, but the version using events partitions the
data across many nodes in a consistent way via HRW. With the Broker
store version you have the option of turning on persistence (e.g.
saving data across restarts can prevent duplicate logs, etc.). With
the version using events there's no option for persistence, although
there's nothing preventing one from combining the two approaches
except complexity of implementing it right: partitioned events +
storing data inside a Broker store.
- Jon
More information about the Zeek
mailing list