[Bro] Couple items for ES

James Lay jlay at slave-tothe-box.net
Wed Sep 14 08:53:26 PDT 2016


And a couple more (guess what I'm doing today....)

The below fixes dots in field names (id.orig_h for example) with ES
2.4.0:

https://www.elastic.co/guide/en/elasticsearch/reference/current/dots-in-names.html

a lot of your fields you can map via Kibana, but a couple you can't,
namely ts, id.orig_h, id.resp_h.  Once that's done here's a curl line to
create a mapping template:

curl -XPUT "http://localhost:9200/_template/bro_template" -d'
{
  "template": "bro-*",
    "mappings": {
        "bro_ts": {
          "properties": {
            "ts": {
              "type": "date",
              "format": "epoch_millis"
            }
          }
        },  
        "bro_orig_h": {
            "properties": {
            "id.orig_h": {
              "type": "ip"
            }
          }
        },
        "bro_resp_h": {
            "properties": {
            "id.resp_h": {
              "type": "ip"
            }
        }
      }
  }
}'

this will allow new indexes to have the above.  For me as this is a new
install I just nuked all bro-* indexes and started over, THEN I went to
Kibana to add bro-* as an index where ts shows as the time-field name: 

Hope this helps someone in the world :) 

James

On 2016-09-13 11:31, James Lay wrote: 

> From the page:
> 
> https://www.bro.org/sphinx/components/bro-plugins/elasticsearch/README.html
> 
> ~~~
> Installing the ElasticSearch Plugin
> 
> First, ensure that you have libcurl (headers and library) installed. 
> Then the following will compile and install the plugin alongside Bro:
> 
> # ./configure && make && make install
> See the output of ./configure --help for additional options if it can't 
> find any of the prerequisites.
> 
> If everything built and installed correctly, you should see this:
> 
> # bro -N Bro::ElasticSearch
> Bro::ElasticSearch - ElasticSearch log writer (dynamic, version 1.0)
> ~~~
> 
> 1.  Might wanna add the fact that you need to cd to 
> bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && 
> make install line and
> 2.  Might also wanna specify that the default plugin dir to install in 
> is bro-install-dir/lib/bro/plugins/
> 
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160914/823681bb/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2016-09-13 16_55_04-Settings - Kibana.jpg
Type: image/jpeg
Size: 120120 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160914/823681bb/attachment-0001.jpg 


More information about the Bro mailing list