Real-time reporting from multiple sensors to multiple analysis points

Marcin_Nawrocki · July 3, 2017, 10:51am

Dear bro mailing list,

I have a question regarding the configuration of bro and its real-time reporting features.

Right now, I have two sensors (s1, s2), each running one bro node with log files rotating every hour. After the rotation, I send the files from each sensor to an analysis point (a1) via scp and perform my analysis steps.

My requirements changed now: I want to know what happens on the sensors in almost real-time. How do I send reports from (s1,s2) with a max. delay of 10 seconds to another analysis point (a2)? The reports can still reach (a1) every hour to keep the load low. My intuition tells me, that a very low rotation interval and scp are not the best practice here.

Regards,

Marcin Nawrocki

Azoff_Justin_S · July 3, 2017, 7:32pm

Based on your requirements you probably want to use something like the bro kafka log writer, or a process running on each system like logstash that can forward logs.

Osama_Elnaggar · July 4, 2017, 5:29am

You can also have a look at lsyncd (https://github.com/axkibe/lsyncd) which is a synching daemon that uses rsync in the background. By default, lsyncd triggers copying when the file is closed but you can change this behavior by modifying the inotifyMode option - https://axkibe.github.io/lsyncd/manual/config/file/

Topic		Replies	Views
Elastic/Filebeat and Bro Logs Inquiry Zeek	2	61	May 6, 2022
bro logs stopped Zeek	2	101	May 6, 2022
BRO on the endpoint, how to manage. Zeek	4	55	May 6, 2022
any ArcSight users? Zeek	8	95	May 6, 2022
How can I do report cyclically Zeek	1	68	May 6, 2022

Real-time reporting from multiple sensors to multiple analysis points

Related Topics