[Bro] Bro-IDS and Logstash....a start (James Lay)

James Lay jlay at slave-tothe-box.net
Mon Oct 28 19:42:24 PDT 2013 

Run it again with sudo….you’ll most likely get another error, then, run it one more time…3rd time it will work.  Why I have no idea :)

James

On Oct 28, 2013, at 8:21 PM, 김희철 <hckim at narusec.com> wrote:

> Hi
> I am having trouble  with logstash
> 
> I followed  your direction  but when I run
> java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
> 
> I got error message
> 
> The error reported is: 
>   pattern %{BASE10NUM:unixtime} not defined
> 
> here is some related link 
> 
> is there a way to run with web?
> 
> 
> On Sat, Oct 26, 2013 at 4:00 AM, <bro-request at bro.org> wrote:
> Send Bro mailing list submissions to
>         bro at bro.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>         bro-request at bro.org
> 
> You can reach the person managing the list at
>         bro-owner at bro.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
> 
> 
> Today's Topics:
> 
>    1. Bro-IDS and Logstash....a start (James Lay)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 24 Oct 2013 15:48:10 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: [Bro] Bro-IDS and Logstash....a start
> To: Bro <bro at bro.org>
> Message-ID: <9052ad62fc8a6270e62c2ae96e4b0dc5 at localhost>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> 
> And away we go!  Snag logstash
> (https://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar),
> make a dir and put it in there, create a file (logstash.conf) and add:
> 
> input {
>          file {
>                  path => "/usr/local/bro/spool/bro/conn.log"
>          }
> }
> 
> filter {
>          grok {
>                  match => [ "message",
> "%{BASE10NUM:unixtime}\t%{WORD:uid}\t%{IP:src_ip}\t%{BASE10NUM:src_port}\t%{IP:dst_ip}\t%{BASE10NUM:dst_port}\t%{WORD:proto}\t%{USERNAME:service}\t%{USERNAME:sec_dur}\t%{USERNAME:orig_bytes}\t%{USERNAME:resp_bytes}\t%{WORD:conn_state}\t%{WORD:local_orig}\t%{INT:missed_bytes}\t%{WORD:history}\t%{USERNAME:orig_packets}\t%{INT:orig_ip_bytes}\t%{INT:resp_packets}\t%{INT:resp_bytes}\t%{DATA:tun_parent}"
> ]
>          }
>          geoip {
>                  source => "src_ip"
>                  target => "src_geoip"
>                  fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
>                  add_field => [ "coordinates",
> "%{[src_geoip][longitude]},%{[src_geoip][latitude]}" ]
>                  add_field => [ "srccountry",
> "%{[src_geoip][country_code2]}"]
>          }
>          geoip {
>                  source => "dst_ip"
>                  target => "dst_geoip"
>                  fields => [ "ip", "country_code2", "country_name",
> "latitude", "longitude" ]
>                  add_field => [ "coordinates",
> "%{[dst_geoip][longitude]},%{[dst_geoip][latitude]}" ]
>                  add_field => [ "dstcountry",
> "%{[dst_geoip][country_code2]}"]
>          }
> 
> }
> output {
>          elasticsearch { embedded => true }
> }
> 
> start with:
> sudo java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
> 
> If you're local on net point your firefox to yourmachine:9292, I needed
> to tunnel 9200, 9300, and 9301 to get it to work remotely.  That's all I
> got currently..more to come I hope.  Enjoy!
> 
> James
> 
> 
> ------------------------------
> 
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
> End of Bro Digest, Vol 90, Issue 29
> ***********************************
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131028/da313785/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131028/da313785/attachment.bin

More information about the Bro mailing list