[Bro] Elasticsearch Writer vs logstash
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Thu Jan 29 23:11:28 PST 2015
...I just found a website that has a tutorial on how to parse bro logs with
logstash <http://www.appliednsm.com/parsing-bro-logs-with-logstash/> AND
points to the config used in the distro Security Onion
So I'd just like to know what your thoughts are on using the elasticsearch
writer vs logstash?
On Thu, Jan 29, 2015 at 11:48 PM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:
> Dear all,
> I'm interested in dumping my bro logs into an elastic search instance and,
> based on what I was able to learn thus far, it seems I have two different
> - use the elasticsearch writer (which the documentation says should not be
> used in production as it doesn't have any error checking)
> - or use logstash to read info directly from the bro logs and externally
> dump it into elasticsearch
> It seems to me the logstash route is better, given that I should be able
> to massage the data into more "user friendly" fields that can be easily
> queried with elasticsearch.
> So my question is, based on your experience, what is the best option? And,
> if you do use logstash, can you share your logstash config?
> Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro