Hi,
I will be deploying an instance of Bro onto two fairly powerful Ubuntu servers that sit off a pair of 10Gbps TAP devices. I have only used Bro on a smaller 1Gbps TAP and just deployed it after compiling the source of 2.4.1 and got the file extraction scripts to work.
What sort of deployment options should i be considering? The reason i ask is out of the box the Bro’s logs seem to be quite light weight in terms of disk usage consumption and they are rotated and gz. I want to put together a deployment document as to how and why i will deploy it.
As the TAPs are passive they don’t aggregate, they collect both RX and TX fiber but in separate steams so i will need to aggregate the data or bond the interfaces. Then is it best i have Bro running on both systems and built another as the Cluster head? to use Broctl? or having two separate instances of bro 1 per Ubuntu server is ok?
The data will be placed back into a large splunk indexer.
Thanks for any assistance.
Cheers,
John