[Bro] Bro -> Elasticsearch -> Kibana4beta -> GeoLocation

Daniel Guerra daniel.guerra69 at gmail.com
Fri Oct 30 11:25:37 PDT 2015


The funny thing is that elasticsearch stores the data internal
like the bro output is.

quote from the object document
Internally, this document is indexed as a simple, flat list of key-value pairs, something like this:

{
  "region":             "US",
  "manager.age":        30,
  "manager.name.first": "John",
  "manager.name.last":  "Smith"
}
Maybe this is an elasticsearch problem …
To make it all work ElasticSearch.cc <http://elasticsearch.cc/> has to change to do
the geopoint mapping. And maybe stop analyse strings like
user_agent to avoid chopping of the result in the first word.
This could be solved by using url formatted strings you want
to show in graphs etc (no spaces).
The last thing is some naming collisions elasticsearch is 
confused about, like version in ssh & socks, but thats easy
to change in their main scripts.

Daniel
> On 30 Oct 2015, at 14:46, Seth Hall <seth at icir.org> wrote:
> 
> 
>> On Oct 29, 2015, at 9:33 PM, Daniel Guerra <daniel.guerra69 at gmail.com> wrote:
>> 
>> I use the elasticsearch plugin in bro. I know logstash works fine but its
>> very cpu intensive. Thanx anyway. 
> 
> Technically it can be done, but it would require changes to the JSON formatter (in the core).  This is actually a pretty reasonable request (and I like the idea a lot!).  It might not be too much work to implement it, it just needs to be done.
> 
>  .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151030/8a71a262/attachment.html 


More information about the Bro mailing list