[Bro] host field
James Lay
jlay at slave-tothe-box.net
Tue Oct 4 09:39:27 PDT 2016
Dot's were fixed in 2.4.0:
https://www.elastic.co/blog/elasticsearch-2-4-0-released
"You can disable the check which prohibits dots in field names by
starting Elasticsearch as follows:
export ES_JAVA_OPTS="-Dmapper.allow_dots_in_name=true"
./bin/elasticsearch"
James
On 2016-10-04 10:32, Michael Shirk wrote:
> Seth, in 2.5 is this the way to make elastic happy, so you can rename
> 'id.orig_h' natively to whatever you want in Bro (minus the dots)?
>
> --
> Michael Shirk
> Daemon Security, Inc.
> http://www.daemon-security.com
>
> On Oct 4, 2016 12:26 PM, "erik clark" <philosnef at gmail.com> wrote:
>
>> Ah shoot, but not in 2.4. Ok, thanks!
>>
>> On Tue, Oct 4, 2016 at 12:14 PM, Seth Hall <seth at icir.org> wrote:
>>
>>>> On Oct 4, 2016, at 11:13 AM, erik clark <philosnef at gmail.com>
>>> wrote:
>>>>
>>>> Is there a non-invasive way to rename the host field in bro log
>>> output?
>>>
>>> In 2.5....
>>>
>>> redef Log::default_field_name_map = {
>>> ["host"] = "something_else",
>>> };
>>>
>>> You can do this per-filter too, but this setting is a global
>>> default for all writers and filters.
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [1]
>
>
> Links:
> ------
> [1] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list