[Bro] Couple elasticsearch questions
Hosom, Stephen M
hosom at battelle.org
Wed Jul 23 10:11:59 PDT 2014
How does Bro handle indexes within ES? Does it rotate indexes, or does it write to one extremely large index with TTLs?
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall
Sent: Wednesday, July 23, 2014 12:32 PM
To: James Lay
Cc: bro at bro-ids.org
Subject: Re: [Bro] Couple elasticsearch questions
On Jul 23, 2014, at 12:15 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> Negative. In order to get Logstash/Kibana to identify fields, the
> grok patterns are what is used. I guess that's the question for
> me....does Bro dump the data raw into elasticsearch?
Bro will write the logs directly into elasticsearch (with the fields separated and named correctly). You don't need logstash at all. The only difference is that in your kibana config, you'll need to make it use slightly different index names. I'm hoping that this is something we'll have more guidance on at some point. I definitely recognize that more cleanup needs to done to this code to make it more resilient and make it easier to get to an end-result.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list