[Bro] Couple elasticsearch questions
JAzoff at albany.edu
Wed Jul 23 08:25:58 PDT 2014
On Wed, Jul 23, 2014 at 09:10:44AM -0600, James Lay wrote:
> Hey all,
> A few questions:
> 1. Is there a proper way to set which logs to send to elasticsearch
> that I can use in local.bro instead of modifying
> logs-to-elasticsearch.bro? I am assuming that logs-to-elasticsearch.bro
> might change in future versions of bro.
Yes, you should just create your own .bro file and take what you need
> 2. The docs say to add @load tuning/logs-to-elasticsearch in
> local.bro...how can I send bro data to a remote elasticsearch server
redef LogElasticSearch::server_host = "...";
> 3. And lastly, as I look at the Brownian demo, I see that all the
> fields are correctly laid out..was this down with Brownian, or with
> elasticsearch itself?
No idea.. Vlad would know :-)
> I'm trying to get bro data into logstash direct, instead of using log
> files. Thanks for any insight.
Keep in mind that in a failure of communication between Bro and ES you
might have a very bad time.
-- Justin Azoff
More information about the Bro