[Bro] Couple elasticsearch questions

Justin Azoff JAzoff at albany.edu
Wed Jul 23 08:25:58 PDT 2014

On Wed, Jul 23, 2014 at 09:10:44AM -0600, James Lay wrote:
> Hey all,
> A few questions:
> 1.  Is there a proper way to set which logs to send to elasticsearch 
> that I can use in local.bro instead of modifying 
> logs-to-elasticsearch.bro?  I am assuming that logs-to-elasticsearch.bro 
> might change in future versions of bro.

Yes, you should just create your own .bro file and take what you need
from logs-to-elasticsearch.bro

> 2.  The docs say to add @load tuning/logs-to-elasticsearch in 
> local.bro...how can I send bro data to a remote elasticsearch server 
> instead?

redef LogElasticSearch::server_host = "...";

> 3.  And lastly, as I look at the Brownian demo, I see that all the 
> fields are correctly laid out..was this down with Brownian, or with 
> elasticsearch itself?

No idea.. Vlad would know :-)

> I'm trying to get bro data into logstash direct, instead of using log 
> files.  Thanks for any insight.

Keep in mind that in a failure of communication between Bro and ES you
might have a very bad time.

-- Justin Azoff

More information about the Bro mailing list