[Bro] host field

James Lay jlay at slave-tothe-box.net
Tue Oct 4 09:39:27 PDT 2016


Dot's were fixed in 2.4.0:

https://www.elastic.co/blog/elasticsearch-2-4-0-released

"You can disable the check which prohibits dots in field names by 
starting Elasticsearch as follows:

export ES_JAVA_OPTS="-Dmapper.allow_dots_in_name=true"
./bin/elasticsearch"

James

On 2016-10-04 10:32, Michael Shirk wrote:
> Seth, in 2.5 is this the way to make elastic happy, so you can rename
> 'id.orig_h' natively to whatever you want in Bro (minus the dots)?
> 
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
> 
> On Oct 4, 2016 12:26 PM, "erik clark" <philosnef at gmail.com> wrote:
> 
>> Ah shoot, but not in 2.4. Ok, thanks!
>> 
>> On Tue, Oct 4, 2016 at 12:14 PM, Seth Hall <seth at icir.org> wrote:
>> 
>>>> On Oct 4, 2016, at 11:13 AM, erik clark <philosnef at gmail.com>
>>> wrote:
>>>> 
>>>> Is there a non-invasive way to rename the host field in bro log
>>> output?
>>> 
>>> In 2.5....
>>> 
>>> redef Log::default_field_name_map = {
>>> ["host"] = "something_else",
>>> };
>>> 
>>> You can do this per-filter too, but this setting is a global
>>> default for all writers and filters.
>>> 
>>> .Seth
>>> 
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [1]
> 
> 
> Links:
> ------
> [1] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list