[Bro] Bro-IDS and Logstash....a start (James Lay)
Jeff Geiger
jeff.geiger at gmail.com
Mon Oct 28 19:35:43 PDT 2013
Sounds like you are missing the base patterns.
See:
https://github.com/logstash/logstash/blob/master/patterns/grok-patterns
- Jeff
On Oct 28, 2013, at 21:30, "김희철" <hckim at narusec.com> wrote:
Hi
I am having trouble with logstash
I followed your direction but when I run
java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
I got error message
The error reported is:
pattern %{BASE10NUM:unixtime} not defined
here is some related link <https://logstash.jira.com/browse/LOGSTASH-1316>
is there a way to run with web?
On Sat, Oct 26, 2013 at 4:00 AM, <bro-request at bro.org> wrote:
> Send Bro mailing list submissions to
> bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at bro.org
>
> You can reach the person managing the list at
> bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Bro-IDS and Logstash....a start (James Lay)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 24 Oct 2013 15:48:10 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: [Bro] Bro-IDS and Logstash....a start
> To: Bro <bro at bro.org>
> Message-ID: <9052ad62fc8a6270e62c2ae96e4b0dc5 at localhost>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> And away we go! Snag logstash
> (
> https://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar
> ),
> make a dir and put it in there, create a file (logstash.conf) and add:
>
> input {
> file {
> path => "/usr/local/bro/spool/bro/conn.log"
> }
> }
>
> filter {
> grok {
> match => [ "message",
>
> "%{BASE10NUM:unixtime}\t%{WORD:uid}\t%{IP:src_ip}\t%{BASE10NUM:src_port}\t%{IP:dst_ip}\t%{BASE10NUM:dst_port}\t%{WORD:proto}\t%{USERNAME:service}\t%{USERNAME:sec_dur}\t%{USERNAME:orig_bytes}\t%{USERNAME:resp_bytes}\t%{WORD:conn_state}\t%{WORD:local_orig}\t%{INT:missed_bytes}\t%{WORD:history}\t%{USERNAME:orig_packets}\t%{INT:orig_ip_bytes}\t%{INT:resp_packets}\t%{INT:resp_bytes}\t%{DATA:tun_parent}"
> ]
> }
> geoip {
> source => "src_ip"
> target => "src_geoip"
> fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
> add_field => [ "coordinates",
> "%{[src_geoip][longitude]},%{[src_geoip][latitude]}" ]
> add_field => [ "srccountry",
> "%{[src_geoip][country_code2]}"]
> }
> geoip {
> source => "dst_ip"
> target => "dst_geoip"
> fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
> add_field => [ "coordinates",
> "%{[dst_geoip][longitude]},%{[dst_geoip][latitude]}" ]
> add_field => [ "dstcountry",
> "%{[dst_geoip][country_code2]}"]
> }
>
> }
> output {
> elasticsearch { embedded => true }
> }
>
> start with:
> sudo java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
>
> If you're local on net point your firefox to yourmachine:9292, I needed
> to tunnel 9200, 9300, and 9301 to get it to work remotely. That's all I
> got currently..more to come I hope. Enjoy!
>
> James
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 90, Issue 29
> ***********************************
>
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131028/de0f9476/attachment.html
More information about the Bro
mailing list