[Bro] Bro -> Elasticsearch -> Kibana4beta -> GeoLocation

[Daniel Guerra]

To be more clear
I use this bro script for geo location

##! Add geo_location for the originator and responder of a connection
##! to the connection logs.

module Conn;

export
 {
	redef record Conn::Info += 
	{
		orig_loc: geo_location &optional &log;
    		resp_loc: geo_location &optional &log;
	};
}

event connection_state_remove(c: connection) 
{
	local orig_loc = lookup_location(c$id$orig_h);
  	if (orig_loc?$longitude && orig_loc?$latitude)
    		c$conn$orig_loc= orig_loc;
	local resp_loc = lookup_location(c$id$resp_h);
  	if (resp_loc?$longitude && resp_loc?$latitude)
    		c$conn$resp_loc= resp_loc;
}

Produces this output in json example
{
    "ts": "2013-04-26T12:12:02.341149Z",
    "uid": "C0GaiXWHKY4Uj0qke",
    "id.orig_h": "83.161.249.149",
    "id.orig_p": 49318,
    "id.resp_h": "68.232.35.139",
    "id.resp_p": 443,
    "proto": "tcp",
    "conn_state": "SHR",
    "missed_bytes": 0,
    "history": "f",
    "orig_pkts": 0,
    "orig_ip_bytes": 0,
    "resp_pkts": 1,
    "resp_ip_bytes": 67,
    "tunnel_parents": [],
    "orig_loc.country_code": "NL",
    "orig_loc.latitude": 52.366699,
    "orig_loc.longitude": 4.9,
    "resp_loc.country_code": "US",
    "resp_loc.region": "CA",
    "resp_loc.city": "Santa Monica",
    "resp_loc.latitude": 34.011902,
    "resp_loc.longitude": -118.468201
  }

According to the elasticsearch documentation i need an output like

“resp_loc”: {
	“lat”: 52.366699,
	“long”:4.9
}

https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html <https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151028/29aed11b/attachment.html