[Bro] Bro with elasticsearch 2.0

Daniel Guerra daniel.guerra69 at gmail.com
Fri Nov 6 14:28:33 PST 2015

I have no problems with elastic 2.0. I have made a docker container for this
check. It runs the git version and i patched some things (check the dockerfile).
https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/ <https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/>
I just added a elasticsearch data volume that has all indexes for bro and kibana.
https://hub.docker.com/r/danielguerra/bro-elasticsearch-kibana-volume/ <https://hub.docker.com/r/danielguerra/bro-elasticsearch-kibana-volume/>

> On 06 Nov 2015, at 22:13, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> This may not be a question for this forum but I have raised it in the elasticsearch forum with no answers.
> I just upgraded my ES cluster to  elasticsearch 2.0 and it seems that elasticsearch no longer allows for dot (.) In field names and will not send that data into the cluster. This means that any info from the Intel log, x509 log, and other fields will no longer be indexed.
> Is there a work around for this. Is there a way to have bro print fields with underscores instead of periods or, and this may be easier, is there a way to have logstash look for any field name with dot and replace them with an underscore.
> As with may things upgrades in one product drives changes in others. I'm not sure the reason ES 2.0 decided that field names cannot include dots but I'd love to find a way to make this work with bro once again.
> Thanks
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151106/e328a708/attachment.html 

More information about the Bro mailing list