[Bro] host field
philosnef at gmail.com
Wed Oct 5 07:28:41 PDT 2016
OK, so. I absolutely must rename these fields, and I can not wait to deploy
2.5, and can not deploy beta. Does anyone know all the analyzers that have
host explicitly defined in them so I can hack this manually?
There is absolutely no way that Splunk can keep up with json format,
because it has to run a regex against every event processed to rename the
host field. (The value host in splunk is reserved....). We can not do this
with the bro json app, because that just puts us right back at square one
with tsidx file size issues.
On Tue, Oct 4, 2016 at 10:46 PM, Seth Hall <seth at icir.org> wrote:
> > On Oct 4, 2016, at 12:32 PM, Michael Shirk <shirkdog.bsd at gmail.com>
> > Seth, in 2.5 is this the way to make elastic happy, so you can rename
> 'id.orig_h' natively to whatever you want in Bro (minus the dots)?
> The way to make elasticsearch happy is probably this...
> redef Log::default_scope_sep = "_";
> It changes all of the periods in field names to anything you want
> (underscore in this case).
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro