[Bro] How use logs-to-elasticsearch.bro
Tim Desrochers
tgdesrochers at gmail.com
Tue Mar 1 11:38:23 PST 2016
I use bro with ELK in production and it works great. I use bro to json and
all my logs are in json. Then use logstash to pick up the logs and the good
folks at elastic have created a plugin for de_dot. It's not perfect but
with some mutates it works fine for the time being. Kibana is a fine
interface to build dashboards and query the data.
Bro and ELK integration works great with a little tweaking. I'm happy to
share come configs if you're interested.
On Mar 1, 2016 11:31, "Michael Shirk" <shirkdog.bsd at gmail.com> wrote:
> I am happy this came up, as I have been going through the same issues for
> testing Brownian vs. ELK with Bro filters
>
> If it is not supported in Bro's JSON output, it would be nice to be able
> to configure it, as there may already be some parsing of the default JSON
> output of Bro with tools like Splunk.
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
> On Mar 1, 2016 11:06, "Seth Hall" <seth at icir.org> wrote:
>
>>
>> > On Mar 1, 2016, at 3:18 AM, Daniel Guerra <daniel.guerra69 at gmail.com>
>> wrote:
>> >
>> > There is a problem with elasticsearch 2.0 and higher.
>> > It doesn’t accept dots in field names and there are
>> > some timestamp issues.
>>
>> I know this discussion has been going on for a while and unfortunately
>> I've been a bit behind the curve on keeping up with it closely. As someone
>> who seems to have been coping with this problem for a while, what do you
>> recommend? Would it be best if we could do nested json documents in the
>> json output? i.e....
>>
>> {"ts":1223421341234.1234, "id": {"orig_h": "1.2.3.4",
>> "orig_p":1234.......etc }}
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160301/962e626e/attachment.html
More information about the Bro
mailing list