[Bro] loging to elasticsearch git clone

[Daniel Guerra]

Logging local and then parse (the logstash way) it is not really preferred. I have been playing with docker and created a docker image for bro with elasticsearch. This works great bro uses elasticsearch to log, only kibana needs a different timestamp (ts). 
To check your bro can do elasticsearch do : 
/usr/local/bro/bin/bro -N Bro::ElasticSearch
should give
Bro::ElasticSearch - ElasticSearch log writer (dynamic, version 1.0)

Setup elasticsearch
vi /usr/local/bro/share/bro/base/frameworks/logging/main.bro   
and set
const enable_local_logging = F
to avoid local logging
vi /usr/local/bro/lib/bro/plugins/Bro_ElasticSearch/scripts/init.bro
and set 
## Name of the ES cluster.
        const cluster_name = “<clustername>" &redef;

        ## ES server.
        const server_host = “<yourip>" &redef;

to get clustername and ip check with your browser http://<elasticip>:9200/_nodes

mkdir /usr/local/bro/share/bro/elasticsearch and copy from the git bro source dir aux/plugins/elasticsearch/scripts/Bro/ElasticSearch/logs-to-elasticsearch.bro to
/usr/local/bro/share/bro/elasticsearch  

add to /usr/local/bro/share/bro/base/init-default.bro

@load elasticsearch/logs-to-elasticsearch

You are now ready to log to elasticsearch

In kibana use bro-* to get your indices or check http://<elasticip>:9200/_cat/indices?v

Hopefully bro can log a YYYY:mm:dd HH:MM:ss format for ts, work in progress …….

Regards,

Daniel


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150502/76c4d0ae/attachment.html