[Bro] Bro -> Elasticsearch -> Kibana4beta -> GeoLocation

Daniel Guerra daniel.guerra69 at gmail.com
Thu Oct 29 14:28:47 PDT 2015


Hi Vlad,

I’m interested in how I can present the json the way elastic wants it.

Regards,

Daniel
> On 29 Oct 2015, at 21:15, Vlad Grigorescu <vlad at grigorescu.org> wrote:
> 
> You should be able to customize how ElasticSearch stores the data via an explicit mapping: https://www.elastic.co/guide/en/elasticsearch/reference/current/object.html <https://www.elastic.co/guide/en/elasticsearch/reference/current/object.html> (i.e., you would add lat and long as objects under the resp_loc object).
> 
> Alternatively, if all you want is to present a geo-point, there are some other ways to represent that: https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html <https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html>
> 
>   --Vlad
> 
> On Wed, Oct 28, 2015 at 8:31 AM, Daniel Guerra <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>> wrote:
> To be more clear
> I use this bro script for geo location
> 
> ##! Add geo_location for the originator and responder of a connection
> ##! to the connection logs.
> 
> module Conn;
> 
> export
>  {
> 	redef record Conn::Info += 
> 	{
> 		orig_loc: geo_location &optional &log;
>     		resp_loc: geo_location &optional &log;
> 	};
> }
> 
> event connection_state_remove(c: connection) 
> {
> 	local orig_loc = lookup_location(c$id$orig_h);
>   	if (orig_loc?$longitude && orig_loc?$latitude)
>     		c$conn$orig_loc= orig_loc;
> 	local resp_loc = lookup_location(c$id$resp_h);
>   	if (resp_loc?$longitude && resp_loc?$latitude)
>     		c$conn$resp_loc= resp_loc;
> }
> 
> Produces this output in json example
> {
>     "ts": "2013-04-26T12:12:02.341149Z",
>     "uid": "C0GaiXWHKY4Uj0qke",
>     "id.orig_h": "83.161.249.149",
>     "id.orig_p": 49318,
>     "id.resp_h": "68.232.35.139",
>     "id.resp_p": 443,
>     "proto": "tcp",
>     "conn_state": "SHR",
>     "missed_bytes": 0,
>     "history": "f",
>     "orig_pkts": 0,
>     "orig_ip_bytes": 0,
>     "resp_pkts": 1,
>     "resp_ip_bytes": 67,
>     "tunnel_parents": [],
>     "orig_loc.country_code": "NL",
>     "orig_loc.latitude": 52.366699,
>     "orig_loc.longitude": 4.9,
>     "resp_loc.country_code": "US",
>     "resp_loc.region": "CA",
>     "resp_loc.city": "Santa Monica",
>     "resp_loc.latitude": 34.011902,
>     "resp_loc.longitude": -118.468201
>   }
> 
> According to the elasticsearch documentation i need an output like
> 
> “resp_loc”: {
> 	“lat”: 52.366699,
> 	“long”:4.9
> }
> 
> https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html <https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html>
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151029/3c5da3c6/attachment.html 


More information about the Bro mailing list