[Bro] host field

M P mpselab at gmail.com
Tue Oct 4 20:58:10 PDT 2016 

As far as I know as I understand it, going this route in 2.4 and then
later upgrading to 5.x may create conflict and cause unforeseen issues, as
suggested here:

https://www.elastic.co/guide/en/elasticsearch/reference/current/dots-in-names.html


On Tuesday, October 4, 2016, James Lay <jlay at slave-tothe-box.net> wrote:

> Dot's were fixed in 2.4.0:
>
> https://www.elastic.co/blog/elasticsearch-2-4-0-released
>
> "You can disable the check which prohibits dots in field names by
> starting Elasticsearch as follows:
>
> export ES_JAVA_OPTS="-Dmapper.allow_dots_in_name=true"
> ./bin/elasticsearch"
>
> James
>
> On 2016-10-04 10:32, Michael Shirk wrote:
> > Seth, in 2.5 is this the way to make elastic happy, so you can rename
> > 'id.orig_h' natively to whatever you want in Bro (minus the dots)?
> >
> > --
> > Michael Shirk
> > Daemon Security, Inc.
> > http://www.daemon-security.com
> >
> > On Oct 4, 2016 12:26 PM, "erik clark" <philosnef at gmail.com
> <javascript:;>> wrote:
> >
> >> Ah shoot, but not in 2.4. Ok, thanks!
> >>
> >> On Tue, Oct 4, 2016 at 12:14 PM, Seth Hall <seth at icir.org
> <javascript:;>> wrote:
> >>
> >>>> On Oct 4, 2016, at 11:13 AM, erik clark <philosnef at gmail.com
> <javascript:;>>
> >>> wrote:
> >>>>
> >>>> Is there a non-invasive way to rename the host field in bro log
> >>> output?
> >>>
> >>> In 2.5....
> >>>
> >>> redef Log::default_field_name_map = {
> >>> ["host"] = "something_else",
> >>> };
> >>>
> >>> You can do this per-filter too, but this setting is a global
> >>> default for all writers and filters.
> >>>
> >>> .Seth
> >>>
> >>> --
> >>> Seth Hall
> >>> International Computer Science Institute
> >>> (Bro) because everyone has a network
> >>> http://www.bro.org/
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org <javascript:;>
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [1]
> >
> >
> > Links:
> > ------
> > [1] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org <javascript:;>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org <javascript:;>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161005/52ac4e1c/attachment.html

More information about the Bro mailing list