[Bro] Bro Kafka logging plugin
Marcus LaFerrera
marcus at randomhack.org
Mon Aug 17 12:30:44 PDT 2015
Thanks for sharing Aaron. This is terrific.
On Fri, Aug 14, 2015 at 2:17 PM, Aaron Gee-Clough <lists at g-clef.net> wrote:
>
> All,
>
> I have a bro plugin that I've just finished writing that I'm hoping some
> folks will help test. It's a logging plugin that will send
> JSON-formatted bro logs to a Kafka message broker.
>
> The code is at: https://github.com/g-clef/KafkaLogger .
>
> Rather than writing a simple log forwarder, I modified things a bit:
> * You can specify which logs to send to Kafka in the bro config.
> * It will add a "type" field to the JSON message to clarify which
> log
> the message came from ("http" vs "conn" vs "ssl", for example).
> * It will add a "sensor" field to the JSON message to allow you to
> tag
> logs from particular sensors in your network (if you have multiple bro
> sensors, you may want to be able to distinguish between logs from
> different sensors).
> * It will rename the "ts", "id.orig_h", "id.orig_p", "id.resp_h",
> and
> "id.resp_p" fields to more commonly-used names (for example, "ts"
> becomes "@timestamp" to interoperate with logstash-style logs).
>
> The plugin is pretty young, so I would consider this beta testing at the
> moment. It is working and seems to be stable in my testing, but I'd love
> to have some other folks than me testing it.
>
> Feel free to send me questions or pull requests.
>
> aaron
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Cheers,
Marcus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150817/9eebda40/attachment.html
More information about the Bro
mailing list