[Bro] loging to elasticsearch git clone
daniel.guerra69 at gmail.com
Fri May 1 15:29:58 PDT 2015
Logging local and then parse (the logstash way) it is not really preferred. I have been playing with docker and created a docker image for bro with elasticsearch. This works great bro uses elasticsearch to log, only kibana needs a different timestamp (ts).
To check your bro can do elasticsearch do :
/usr/local/bro/bin/bro -N Bro::ElasticSearch
Bro::ElasticSearch - ElasticSearch log writer (dynamic, version 1.0)
const enable_local_logging = F
to avoid local logging
## Name of the ES cluster.
const cluster_name = “<clustername>" &redef;
## ES server.
const server_host = “<yourip>" &redef;
to get clustername and ip check with your browser http://<elasticip>:9200/_nodes
mkdir /usr/local/bro/share/bro/elasticsearch and copy from the git bro source dir aux/plugins/elasticsearch/scripts/Bro/ElasticSearch/logs-to-elasticsearch.bro to
add to /usr/local/bro/share/bro/base/init-default.bro
You are now ready to log to elasticsearch
In kibana use bro-* to get your indices or check http://<elasticip>:9200/_cat/indices?v
Hopefully bro can log a YYYY:mm:dd HH:MM:ss format for ts, work in progress …….
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro