[Bro] script to extract elastic search mapping from header of bro-logs

Frank Meier franky.meier.1 at gmx.de
Tue Apr 25 23:14:39 PDT 2017


Hello,

many of us use Elastic Search as a sink for bro-logs. I am thinking
about written a script to extract the correct mapping from the bro
header. 

This would mean:
* mapping data types:
	string, addr, enum -> string
	int, count, port -> long
	interval, double -> double
	time -> epoch_millis	 
* setting 'not_analyzed' for types like addr where this makes no sense
* handle container types (table, set, vector)

Any ideas? Has anyone done this before?

Franky


More information about the Bro mailing list