[Bro] Bro -> Elasticsearch -> Kibana4beta -> GeoLocation

Thu Oct 29 13:15:10 PDT 2015

You should be able to customize how ElasticSearch stores the data via an
explicit mapping:
https://www.elastic.co/guide/en/elasticsearch/reference/current/object.html
(i.e., you would add lat and long as objects under the resp_loc object).

Alternatively, if all you want is to present a geo-point, there are some
other ways to represent that:
https://www.elastic.co/guide/en/elasticsearch/reference/current/geo-point.html

  --Vlad

On Wed, Oct 28, 2015 at 8:31 AM, Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

> To be more clear
> I use this bro script for geo location
>
> ##! Add geo_location for the originator and responder of a connection
> ##! to the connection logs.
>
> module Conn;
>
> export
>  {
> redef record Conn::Info +=
> {
> orig_loc: geo_location &optional &log;
>     resp_loc: geo_location &optional &log;
> };
> }
>
> event connection_state_remove(c: connection)
> {
> local orig_loc = lookup_location(c$id$orig_h);
>   if (orig_loc?$longitude && orig_loc?$latitude)
>     c$conn$orig_loc= orig_loc;
> local resp_loc = lookup_location(c$id$resp_h);
>   if (resp_loc?$longitude && resp_loc?$latitude)
>     c$conn$resp_loc= resp_loc;
> }
>
> Produces this output in json example
> {
>     "ts": "2013-04-26T12:12:02.341149Z",
>     "uid": "C0GaiXWHKY4Uj0qke",
>     "id.orig_h": "83.161.249.149",
>     "id.orig_p": 49318,
>     "id.resp_h": "68.232.35.139",
>     "id.resp_p": 443,
>     "proto": "tcp",
>     "conn_state": "SHR",
>     "missed_bytes": 0,
>     "history": "f",
>     "orig_pkts": 0,
>     "orig_ip_bytes": 0,
>     "resp_pkts": 1,
>     "resp_ip_bytes": 67,
>     "tunnel_parents": [],
>     "orig_loc.country_code": "NL",
>     "orig_loc.latitude": 52.366699,
>     "orig_loc.longitude": 4.9,
>     "resp_loc.country_code": "US",
>     "resp_loc.region": "CA",
>     "resp_loc.city": "Santa Monica",
>     "resp_loc.latitude": 34.011902,
>     "resp_loc.longitude": -118.468201
>   }
>
> According to the elasticsearch documentation i need an output like
>
> “resp_loc”: {
> “lat”: 52.366699,
> “long”:4.9
> }
>
>
> https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-geo-point-type.html
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151029/b70ca052/attachment.html 