[Bro] Elasticsearch Writer vs logstash
anthony kasza
anthony.kasza at gmail.com
Thu Jan 29 23:29:28 PST 2015
I thought the ES writer had some issues it needed worked out around indexes
or something. Seth?
-AK
On Jan 29, 2015 11:17 PM, "Luis Miguel Silva" <
luismiguelferreirasilva at gmail.com> wrote:
> ...I just found a website that has a tutorial on how to parse bro logs
> with logstash <http://www.appliednsm.com/parsing-bro-logs-with-logstash/>
> AND points to the config used in the distro Security Onion
> <http://www.appliednsm.com/wp-content/uploads/logstash-SObro22-parse.conf_.txt>
> .
>
> So I'd just like to know what your thoughts are on using the elasticsearch
> writer vs logstash?
>
> Thank you,
> Luis
>
> On Thu, Jan 29, 2015 at 11:48 PM, Luis Miguel Silva <
> luismiguelferreirasilva at gmail.com> wrote:
>
>> Dear all,
>>
>> I'm interested in dumping my bro logs into an elastic search instance
>> and, based on what I was able to learn thus far, it seems I have two
>> different options:
>> - use the elasticsearch writer (which the documentation says should not
>> be used in production as it doesn't have any error checking)
>> - or use logstash to read info directly from the bro logs and externally
>> dump it into elasticsearch
>>
>> It seems to me the logstash route is better, given that I should be able
>> to massage the data into more "user friendly" fields that can be easily
>> queried with elasticsearch.
>>
>> So my question is, based on your experience, what is the best option?
>> And, if you do use logstash, can you share your logstash config?
>>
>> Thanks in advance,
>> Luis
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150129/89eb3ae0/attachment.html
More information about the Bro
mailing list