We are planning to only use the “logging” features of Bro, and for certain types, on a 10G link.
I’d appreciate pointing me to right direction to only enable (conn.log, dns.log, http.log and ssl.log) while disabling all the others (to save processing cycles and storage) for the types that we won’t use/need.
Thanks.
Hi,
in addition to disabling log files (which you can do using
Log::disable_stream, as was already pointed out), you can start Bro in
bare mode. This will not enable any analyzers by default, you will have to
load them manually, wich can save a bit of processing.
Note however that bare mode comes with its own complications - you have to
be sure that you load everything that is required (it is easy to, for
example, forget to load the dynamic protocol detection scripts); this is
not an approach I would generally recommend.
Johanna