[Bro] How use logs-to-elasticsearch.bro
Michael Shirk
shirkdog.bsd at gmail.com
Tue Mar 1 08:29:29 PST 2016
I am happy this came up, as I have been going through the same issues for
testing Brownian vs. ELK with Bro filters
If it is not supported in Bro's JSON output, it would be nice to be able to
configure it, as there may already be some parsing of the default JSON
output of Bro with tools like Splunk.
--
Michael Shirk
Daemon Security, Inc.
http://www.daemon-security.com
On Mar 1, 2016 11:06, "Seth Hall" <seth at icir.org> wrote:
>
> > On Mar 1, 2016, at 3:18 AM, Daniel Guerra <daniel.guerra69 at gmail.com>
> wrote:
> >
> > There is a problem with elasticsearch 2.0 and higher.
> > It doesn’t accept dots in field names and there are
> > some timestamp issues.
>
> I know this discussion has been going on for a while and unfortunately
> I've been a bit behind the curve on keeping up with it closely. As someone
> who seems to have been coping with this problem for a while, what do you
> recommend? Would it be best if we could do nested json documents in the
> json output? i.e....
>
> {"ts":1223421341234.1234, "id": {"orig_h": "1.2.3.4",
> "orig_p":1234.......etc }}
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160301/7a3c3587/attachment-0001.html
More information about the Bro
mailing list