[Bro] Couple elasticsearch questions

Seth Hall seth at icir.org
Wed Jul 23 08:40:40 PDT 2014


On Jul 23, 2014, at 11:10 AM, James Lay <jlay at slave-tothe-box.net> wrote:

> 1.  Is there a proper way to set which logs to send to elasticsearch 
> that I can use in local.bro instead of modifying 
> logs-to-elasticsearch.bro?

Yes, there are settings that you can change.  In local.bro, you can do this...

@load tuning/logs-to-elasticsearch
redef LogElasticSearch::send_logs += { 
	Conn::LOG,
	HTTP::LOG
};

That will only send the conn.log and http.log to ElasticSearch.

> 2.  The docs say to add @load tuning/logs-to-elasticsearch in 
> local.bro...how can I send bro data to a remote elasticsearch server 
> instead?

redef LogElasticSearch::server_host = "1.2.3.4";

> 3.  And lastly, as I look at the Brownian demo, I see that all the 
> fields are correctly laid out..was this down with Brownian, or with 
> elasticsearch itself?

Could you explain what you mean by "correctly laid out"?

> I'm trying to get bro data into logstash direct, instead of using log 
> files.  Thanks for any insight.

Cool!  With the current mechanism, you could encounter overload situations that cause Bro to grow in memory until you run out of memory.  We're slowly working on extensions to the ES writer to make it write to a disk backed queuing system so that things should remain more stable over time.  I am interested to hear any experiences you have with this though.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140723/1d9c9d12/attachment.bin 


More information about the Bro mailing list