[Bro] loging to elasticsearch git clone
Andrew Ratcliffe
andrew.ratcliffe at nswcsystems.co.uk
Fri May 1 01:13:17 PDT 2015
Also, you could have a look at this for an alternative way of getting Bro into Logstash.
http://www.appliednsm.com/parsing-bro-logs-with-logstash/ <http://www.appliednsm.com/parsing-bro-logs-with-logstash/>
> On 1 May 2015, at 03:41, Daniel Guerra <daniel.guerra69 at gmail.com> wrote:
>
> I log to json files. After this I use logstash to store it in elasticsearch.
> Logstash has an embeded elasicsearch + kibana
>
> in bro edit init-default.bro and add @load policy/tuning/json-logs
>
> a config i use for logstash might be handy for you
>
> Regards,
> Daniel
>
> input {
> file {
> codec => json
> path => "/input/*.log"
> type => "bro_log"
> }
> }
>
> filter {
> # Parse the `time` attribute as a UNIX timestamp (seconds since epoch)
> # and store it in `@timestamp` attribute. This will be used in Kibana later on.
> date {
> match => [ "ts", "UNIX" ]
> }
> translate {
> field => "conn_state"
> destination => "conn_state_full"
> dictionary => [
> "S0", "Attempt",
> "S1", "Established",
> "S2", "Originator close only",
> "S3", "Responder close only",
> "SF", "SYN/FIN completion",
> "REJ", "Rejected",
> "RSTO", "Originator aborted",
> "RSTR", "Responder aborted",
> "RSTOS0", "Originator SYN + RST",
> "RSTRH", "Responder SYN ACK + RST",
> "SH", "Originator SYN + FIN",
> "SHR", "Responder SYN ACK + FIN",
> "OTH", "Midstream traffic"
> ]
> }
> grok {
> match => { "path" => ".*\/(?<bro_type>[a-zA-Z0-9]+)\.log$" }
> }
> }
>
>
> output {
> elasticsearch {
> embedded => true
> }
> }
>
>> On 30 Apr 2015, at 18:27, Mo Jia <life.130815 at gmail.com <mailto:life.130815 at gmail.com>> wrote:
>>
>> Hi :
>>
>> I follow the https://www.bro.org/sphinx/frameworks/logging-elasticsearch.html <https://www.bro.org/sphinx/frameworks/logging-elasticsearch.html>
>> with git clone latest source, seem it can't take effect to find it
>> should build elasticsearch. So how can I build elasticsearch with
>> latest source?
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150501/538a2363/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150501/538a2363/attachment-0001.bin
More information about the Bro
mailing list