[Bro] Elasticsearch Writer vs logstash
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Thu Jan 29 22:48:44 PST 2015
I'm interested in dumping my bro logs into an elastic search instance and,
based on what I was able to learn thus far, it seems I have two different
- use the elasticsearch writer (which the documentation says should not be
used in production as it doesn't have any error checking)
- or use logstash to read info directly from the bro logs and externally
dump it into elasticsearch
It seems to me the logstash route is better, given that I should be able to
massage the data into more "user friendly" fields that can be easily
queried with elasticsearch.
So my question is, based on your experience, what is the best option? And,
if you do use logstash, can you share your logstash config?
Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro