Question on SSL logs


First, the background info… we are in the process of upgrading from Bro v2.3.2 to v2.4.1. The older version runs on a slower system which experiences more packet loss than the newer version, which is running on a faster system (which has mostly no loss at all). Both systems are seeing the same network traffic.

What we are seeing is that the SSL logs from v2.3.2 are consistently larger (by 20% to 25%) than the logs produced by v2.4.1. I see that there are a lot of improvements in the handling of SSL, and many that might actually impact log information, but we are unable to quantify how the logs are being affected even after a visual inspection of the logs. Is it reasonable to expect the new log files to be more compact (using the default SSL policies in both cases)? Just as a data point, the HTTP logs are comparable in size.

Would highly appreciate a response from the Bro SSL experts.



Hello Raj,

on the top of my head, I am not aware of any reason why the 2.4.1 SSL logs
should be more compact then the 2.3.2 logs; if anything, they should be

There were some changes to make the logs more compact, but thost were from
2.2 to 2.3; in these cases, a better metric would be the number of lines.

In any case if you can potentially take a small sample of your traffic and
run both 2.3.2 and 2.4.1 against it, and notice any changes (especially
missing lines in 2.4.1), I would appreciate it you could let me know.