[Bro] Bro with elasticsearch 2.0
Tim Desrochers
tgdesrochers at gmail.com
Fri Nov 6 13:13:32 PST 2015
This may not be a question for this forum but I have raised it in the elasticsearch forum with no answers.
I just upgraded my ES cluster to elasticsearch 2.0 and it seems that elasticsearch no longer allows for dot (.) In field names and will not send that data into the cluster. This means that any info from the Intel log, x509 log, and other fields will no longer be indexed.
Is there a work around for this. Is there a way to have bro print fields with underscores instead of periods or, and this may be easier, is there a way to have logstash look for any field name with dot and replace them with an underscore.
As with may things upgrades in one product drives changes in others. I'm not sure the reason ES 2.0 decided that field names cannot include dots but I'd love to find a way to make this work with bro once again.
Thanks
More information about the Bro
mailing list