[Bro] Couple items for ES
Seth Hall
seth at icir.org
Thu Sep 15 07:35:24 PDT 2016
> On Sep 14, 2016, at 11:53 AM, James Lay <jlay at slave-tothe-box.net> wrote:
>
> a lot of your fields you can map via Kibana, but a couple you can't, namely ts, id.orig_h, id.resp_h. Once that's done here's a curl line to create a mapping template:
In 2.5 (beta right now), you can do this...
redef Log::default_scope_sep = "_";
That will get rid of periods from your logs field names in all logs.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list