[Bro] loging to elasticsearch git clone

Andrew Ratcliffe andrew.ratcliffe at nswcsystems.co.uk
Fri May 1 01:13:17 PDT 2015 

Also, you could have a look at this for an alternative way of getting Bro into Logstash.
http://www.appliednsm.com/parsing-bro-logs-with-logstash/ <http://www.appliednsm.com/parsing-bro-logs-with-logstash/>

> On 1 May 2015, at 03:41, Daniel Guerra <daniel.guerra69 at gmail.com> wrote:
> 
> I log to json files. After this I use logstash to store it in elasticsearch.
> Logstash has an embeded elasicsearch + kibana
> 
> in bro edit init-default.bro and add @load policy/tuning/json-logs
> 
> a config i use for logstash might be handy for you
> 
> Regards,
> Daniel
> 
> input {
>   file {
>     codec => json
>     path => "/input/*.log"
>     type => "bro_log"
>   }
> }
> 
> filter {
>   # Parse the `time` attribute as a UNIX timestamp (seconds since epoch)
>   # and store it in `@timestamp` attribute. This will be used in Kibana later on.
>   date {
>     match => [ "ts", "UNIX" ]
>   }
>   translate {
>       field => "conn_state"
>       destination => "conn_state_full"
>       dictionary => [
>         "S0", "Attempt",
>         "S1", "Established",
>         "S2", "Originator close only",
>         "S3", "Responder close only",
>         "SF", "SYN/FIN completion",
>         "REJ", "Rejected",
>         "RSTO", "Originator aborted",
>         "RSTR", "Responder aborted",
>         "RSTOS0", "Originator SYN +  RST",
>         "RSTRH", "Responder SYN ACK + RST",
>         "SH", "Originator SYN + FIN",
>         "SHR", "Responder SYN ACK + FIN",
>         "OTH", "Midstream traffic"
>       ]
>     }
>     grok {
>         match => { "path" => ".*\/(?<bro_type>[a-zA-Z0-9]+)\.log$" }
>     }
> }
> 
> 
> output {
>   elasticsearch {
>     embedded => true
>   }
> }
> 
>> On 30 Apr 2015, at 18:27, Mo Jia <life.130815 at gmail.com <mailto:life.130815 at gmail.com>> wrote:
>> 
>> Hi :
>> 
>> I follow the https://www.bro.org/sphinx/frameworks/logging-elasticsearch.html <https://www.bro.org/sphinx/frameworks/logging-elasticsearch.html>
>> with git clone latest source, seem it can't take effect to find it
>> should build elasticsearch.  So how can I build elasticsearch with
>> latest source?
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150501/538a2363/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150501/538a2363/attachment-0001.bin

More information about the Bro mailing list