[Bro] elastic search / bro questions
Joe Blow
blackhole.em at gmail.com
Mon Nov 10 07:20:41 PST 2014
I'm not processing offline files, if that's what you mean (still a bit new
to bro, feel free to expand on the tracefiles).
I'm sniffing many interfaces, but it appears most (not all, but most) logs
are going into the bro index, without the time.
I was going to try and hack something around this in
'share/bro/base/frameworks/logging/writers/elasticsearch.bro' to change the
index to be dynamic with the date:
## Name of the ES index.
const index_prefix = "bro" &redef;
Not sure if that would only get read on program instantiation though...
I might also be way out in left field... Any shove in the right direction
helps :).
Cheers,
JB
On Mon, Nov 10, 2014 at 10:05 AM, Seth Hall <seth at icir.org> wrote:
>
> > On Nov 10, 2014, at 9:46 AM, Joe Blow <blackhole.em at gmail.com> wrote:
> >
> > My question is this. Many of these ES issues appear that they can be
> alleviated if we were shoving all of the bro logs into 'bro-YYYYmmddHHMM',
> instead of some there, and some in the giant 'bro' index. Is there any
> reason why we can't force all of the ES logging into the time based
> indicies instead of the one giant bro index? Would anyone know where to
> start hacking the BRO code to try and make this possible?
>
> Are you processing tracefiles? If you are processing live traffic from an
> interface it should already be sharding into indexes like you want.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141110/f1722a38/attachment.html
More information about the Bro
mailing list