[Bro] Bro Kafka logging plugin

Aaron Gee-Clough lists at g-clef.net
Fri Aug 14 11:17:09 PDT 2015


All,

I have a bro plugin that I've just finished writing that I'm hoping some
folks will help test. It's a logging plugin that will send
JSON-formatted bro logs to a Kafka message broker.

The code is at: https://github.com/g-clef/KafkaLogger .

Rather than writing a simple log forwarder, I modified things a bit:
	* You can specify which logs to send to Kafka in the bro config.
	* It will add a "type" field to the JSON message to clarify which log
the message came from ("http" vs "conn" vs "ssl", for example).
	* It will add a "sensor" field to the JSON message to allow you to tag
logs from particular sensors in your network (if you have multiple bro
sensors, you may want to be able to distinguish between logs from
different sensors).
	* It will rename the "ts", "id.orig_h", "id.orig_p", "id.resp_h", and
"id.resp_p" fields to more commonly-used names (for example, "ts"
becomes "@timestamp" to interoperate with logstash-style logs).

The plugin is pretty young, so I would consider this beta testing at the
moment. It is working and seems to be stable in my testing, but I'd love
to have some other folks than me testing it.

Feel free to send me questions or pull requests.

aaron


More information about the Bro mailing list