[Bro] loging to elasticsearch git clone
Daniel Guerra
daniel.guerra69 at gmail.com
Thu Apr 30 19:41:26 PDT 2015
I log to json files. After this I use logstash to store it in elasticsearch.
Logstash has an embeded elasicsearch + kibana
in bro edit init-default.bro and add @load policy/tuning/json-logs
a config i use for logstash might be handy for you
Regards,
Daniel
input {
file {
codec => json
path => "/input/*.log"
type => "bro_log"
}
}
filter {
# Parse the `time` attribute as a UNIX timestamp (seconds since epoch)
# and store it in `@timestamp` attribute. This will be used in Kibana later on.
date {
match => [ "ts", "UNIX" ]
}
translate {
field => "conn_state"
destination => "conn_state_full"
dictionary => [
"S0", "Attempt",
"S1", "Established",
"S2", "Originator close only",
"S3", "Responder close only",
"SF", "SYN/FIN completion",
"REJ", "Rejected",
"RSTO", "Originator aborted",
"RSTR", "Responder aborted",
"RSTOS0", "Originator SYN + RST",
"RSTRH", "Responder SYN ACK + RST",
"SH", "Originator SYN + FIN",
"SHR", "Responder SYN ACK + FIN",
"OTH", "Midstream traffic"
]
}
grok {
match => { "path" => ".*\/(?<bro_type>[a-zA-Z0-9]+)\.log$" }
}
}
output {
elasticsearch {
embedded => true
}
}
> On 30 Apr 2015, at 18:27, Mo Jia <life.130815 at gmail.com> wrote:
>
> Hi :
>
> I follow the https://www.bro.org/sphinx/frameworks/logging-elasticsearch.html
> with git clone latest source, seem it can't take effect to find it
> should build elasticsearch. So how can I build elasticsearch with
> latest source?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150501/57d5d47f/attachment.html
More information about the Bro
mailing list