[Bro] Couple elasticsearch questions
James Lay
jlay at slave-tothe-box.net
Thu Jul 24 12:59:31 PDT 2014
On 2014-07-23 10:31, Seth Hall wrote:
> On Jul 23, 2014, at 12:15 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Negative. In order to get Logstash/Kibana to identify fields, the
>> grok
>> patterns are what is used. I guess that's the question for
>> me....does
>> Bro dump the data raw into elasticsearch?
>
> Bro will write the logs directly into elasticsearch (with the fields
> separated and named correctly). You don't need logstash at all. The
> only difference is that in your kibana config, you'll need to make it
> use slightly different index names. I'm hoping that this is
> something
> we'll have more guidance on at some point. I definitely recognize
> that more cleanup needs to done to this code to make it more
> resilient
> and make it easier to get to an end-result.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Confirming that this works like a champ. My testing here is using
Logstash with it's built in Kibana, and a separate instance of
Elasticsearch since there's more going in then just Bro. In fact the
whole idea is to tie in bro, snort, and syslogs. With bro going direct
to elasticsearch, there's nothing to really configure, save just to make
sure your Kibana index is set to _all. Kibana also allows you to tweak
the timestamp so the original unix time, after tweaking, shows up as
2014-07-24T12:16:05.795-06:00 for example. My next step will be to get
snort and firewall logs in....ironically, the Bro portion has been the
easiest :) Thanks for the work on this!
James
More information about the Bro
mailing list