Question on cutting down on number of conn.log entries

espressobeanies · March 8, 2017, 7:11pm

Hi,

I’m realizing my conn.log is eating up most of my performance and I’m trying to cut down the number of times Bro makes a duplicate entry in the conn.log file. I don’t necessarily need to see the same simultaneous traffic from a specific set of IP addresses and I’m trying to see if there’s a way to exempt them or at least cut down on the number of times they are entered in my conn.log. Does anyone have any recommendations? I’m also trying to do it in a way that also cuts down on my CPU performance if possible.

Thanks in advance,

Azoff_Justin_S · March 8, 2017, 7:22pm

What do you mean by duplicate entries? Are you seeing the same exact connection(same 5 tuple) logged multiple times?

espressobeanies · March 8, 2017, 9:40pm

Yep

Azoff_Justin_S · March 8, 2017, 9:47pm

Ok.. if you are seeing the exact same connection repeated multiple times that would point to an issue with your deployment.

Are you running multiple bro workers using lb_procs? If you run multiple workers but the load balancing is not functioning properly, you'll see multiple entries as you described.

Topic		Replies	Views
is there a bro script to ignore duplicated logs? Zeek	11	86	May 6, 2022
duplicate traffic Zeek	1	83	May 6, 2022
Newb with a couple questions Zeek	12	51	May 6, 2022
Get the license usage down in Splunk when indexing Bro Zeek	2	61	May 6, 2022
NAT connection logs Zeek	2	84	May 6, 2022

Question on cutting down on number of conn.log entries

Related Topics