Splunk or ELK to parse Bro logs

C_L_Martinez · February 20, 2017, 9:25am

Hi all,

I would like to do some tests and deploy rules using Bro under my laptop test lab. Due to limited resources, I would like to install some log parser tool for Bro like Splunk or ELK.

In the past, I have used Splunk and goes very well for my needs. But doing some searches, I am finding more docs about using ELK with Bro than using Splunk.

But I don't see how can I limit resources assigned to an ELK infrastructure to suit my needs (I can't assign more than 2.5 GB of RAM to vm where I will install splunk or elk or another solution).

I don't expect a lot of logs per day or hour from Bro's side (in fact, I expect very few), but i don't see pretty clear what solution to use.

What are your opinions or recommendations?

Many thanks to all.

Joe_Blow · February 20, 2017, 1:43pm

You could just change the JVM you’re using elasticsearch/logstash on to only allocate 1GB of RAM. On that VM if you give it 2.5GB of RAM, then only 1GB of it will be used by your Elasticsearch install. The rest will be used by the OS (disk cache) and logstash.

In CentOS land, you’d make your /etc/sysconfig/elasticsearch file say this:

ES_HEAP_SIZE=1g

Cheers,

JB

Collyer_Jeffrey_W_jw · February 20, 2017, 3:50pm

For Splunk I’ve had good luck with logging to JSON format and using this TA

https://github.com/jahshuah/splunk-ta-bro-json

Jeffrey Collyer

C_L_Martinez · February 22, 2017, 8:32am

Many thanks to all for your inputs. Regarding to use ELK, is it safe to use latest versions of Logstash, Elasticsearch adn Kibana? What version do you recommend?

Topic		Replies	Views
elastic search / bro questions Zeek	17	107	May 6, 2022
filebeat +elk Zeek	19	160	May 6, 2022
Splunk or ELK to parse Bro logs Zeek	1	65	May 6, 2022
- recommended DB for Bro logs Zeek	11	110	May 6, 2022
Web GUI for Bro? Zeek	8	192	May 6, 2022

Splunk or ELK to parse Bro logs

Related topics