[Bro] Couple elasticsearch questions

James Lay jlay at slave-tothe-box.net
Thu Jul 24 12:59:31 PDT 2014


On 2014-07-23 10:31, Seth Hall wrote:
> On Jul 23, 2014, at 12:15 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>
>> Negative.  In order to get Logstash/Kibana to identify fields, the 
>> grok
>> patterns are what is used.  I guess that's the question for 
>> me....does
>> Bro dump the data raw into elasticsearch?
>
> Bro will write the logs directly into elasticsearch (with the fields
> separated and named correctly).  You don't need logstash at all.  The
> only difference is that in your kibana config, you'll need to make it
> use slightly different index names.  I'm hoping that this is 
> something
> we'll have more guidance on at some point.  I definitely recognize
> that more cleanup needs to done to this code to make it more 
> resilient
> and make it easier to get to an end-result.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

Confirming that this works like a champ.  My testing here is using 
Logstash with it's built in Kibana, and a separate instance of 
Elasticsearch since there's more going in then just Bro.  In fact the 
whole idea is to tie in bro, snort, and syslogs.  With bro going direct 
to elasticsearch, there's nothing to really configure, save just to make 
sure your Kibana index is set to _all.  Kibana also allows you to tweak 
the timestamp so the original unix time, after tweaking, shows up as 
2014-07-24T12:16:05.795-06:00 for example.  My next step will be to get 
snort and firewall logs in....ironically, the Bro portion has been the 
easiest :)  Thanks for the work on this!

James





More information about the Bro mailing list