[Bro] How use logs-to-elasticsearch.bro
Seth Hall
seth at icir.org
Tue Mar 1 07:51:03 PST 2016
> On Mar 1, 2016, at 3:18 AM, Daniel Guerra <daniel.guerra69 at gmail.com> wrote:
>
> There is a problem with elasticsearch 2.0 and higher.
> It doesn’t accept dots in field names and there are
> some timestamp issues.
I know this discussion has been going on for a while and unfortunately I've been a bit behind the curve on keeping up with it closely. As someone who seems to have been coping with this problem for a while, what do you recommend? Would it be best if we could do nested json documents in the json output? i.e....
{"ts":1223421341234.1234, "id": {"orig_h": "1.2.3.4", "orig_p":1234.......etc }}
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list