[Bro] script to extract elastic search mapping from header of bro-logs
vladg at illinois.edu
Fri Apr 28 07:55:05 PDT 2017
ElasticSearch gets difficult, because there's a lot of context-specific
data that should be captured too, especially when it comes to indexing.
For example, I liked to index domain names with a reverse-path
tokenization on '.' as the delimeter, so that www.ncsa.illinois.edu will
show up in searches for "edu," "illinois.edu," "ncsa.illinois.edu," and
"www.ncsa.illinois.edu." Capturing this context can be very tricky, and
I don't think that it's currently available in the ASCII logs.
I'd be curious if anyone has thoughts on how to improve this.
Frank Meier <franky.meier.1 at gmx.de> writes:
> On Wed, 26 Apr 2017 05:10:04 -0700 Johanna Amann <johanna at icir.org>
>> in case you are talking about importing a Bro ASCII log into the
>> - I did something like that for Postgres once. My script automatically
>> created tables with the right types (including stuff like inet), and
>> converted sets and vectors to postgres arrays.
> thanks, that's what I was thinking about.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170428/454f776b/attachment.bin
More information about the Bro