[Bro] ElasticSearch plugin
Landy Bible
landy-bible at utulsa.edu
Tue Jun 14 09:03:36 PDT 2016
For what it's worth, using the de_dot filter in logstash with the following
config converts the fields to be nested, and didn't even require any
changes to any of my kibana queries or dashboards. Everything just worked.
ElasticSearch is happy and I can upgrade to v2 now and nothing changed from
the user's point of view. All I did was tack this on the end of my filter
config file on my logstash servers.
filter {
de_dot {
nested => true
}
}
Of course, I wouldn't complain about bro just nesting correctly in JSON. :)
-Landy
Landy Bible
Information Security Analyst
The University of Tulsa
On Tue, Jun 14, 2016 at 9:21 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Jun 14, 2016, at 9:04 AM, Vlad Grigorescu <vladg at illinois.edu> wrote:
> >
> > I think the better solution would simply be to make the record separator
> > redef-able in the formatter. I can *maybe* see the argument for using
> > '.' instead of '$' in the ASCII logs, but since the other separators are
> > user-definable, I think this one should be as well.
>
> I know we talked about this at one point, I think the real fix is to log
> nested records natively in json.
>
> The ascii writer needs to expand nested fields, but the json writer
> doesn't, so it can natively log a conn record as
>
> {id: {orig_h: "1.2.3.4", orig_h: 123, resp_h: "5.6.7.8", resp_p: 456}, ...
> }
>
>
> --
> - Justin Azoff
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160614/a5ad10fd/attachment.html
More information about the Bro
mailing list