[Bro] Couple items for ES
James Lay
jlay at slave-tothe-box.net
Thu Sep 15 07:40:48 PDT 2016
On 2016-09-15 08:35, Seth Hall wrote:
>> On Sep 14, 2016, at 11:53 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>> a lot of your fields you can map via Kibana, but a couple you can't,
>> namely ts, id.orig_h, id.resp_h. Once that's done here's a curl line
>> to create a mapping template:
>
> In 2.5 (beta right now), you can do this...
> redef Log::default_scope_sep = "_";
>
> That will get rid of periods from your logs field names in all logs.
>
> .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Excellent....file that under the "more than one way to skin a cat"
category...looking forward to 2.5..thanks Seth.
James
More information about the Bro
mailing list