Votes : 10
In addition to the benefits of parsing logs in a single stream, BFD also uses a log tracking system so logs are only parsed from the point which they were last read. This greatly assists in extending the performance of BFD even further as we are not constantly reading the same log data. The log tracking system is compatible with syslog/logrotate style log rotations which allows it to detect when rotations have happened and grab log tails from both the new log file and the rotated log file.
You can also leverage BFD to block attackers using any number of tools such as APF, Shorewall, raw iptables, ip route or execute any custom command. There is also a fully customizable e-mail alerting system with an e-mail template that is well suited for every day use or you can open it up and modify it.
The attacker tracking in BFD is handled using simple flat text files that are size-controlled to prevent space constraints over time, ideal for disk less devices. There is also an attack pool where trending data is stored on all hosts hat have been blocked including which rule the block was triggered by.
In the execution process, there is simply a cron job that executes BFD once every 3 minutes by default. An embedded lock file system makes sure that no two instances ever run at the same time, preventing messy and potentially load heavy results. The cronjob can be run more frequently for those that desire it and doing so will not cause any performance issues (no less than once a minute).