[Bro] script to extract elastic search mapping from header of bro-logs
Frank Meier
franky.meier.1 at gmx.de
Tue Apr 25 23:14:39 PDT 2017
Hello,
many of us use Elastic Search as a sink for bro-logs. I am thinking
about written a script to extract the correct mapping from the bro
header.
This would mean:
* mapping data types:
string, addr, enum -> string
int, count, port -> long
interval, double -> double
time -> epoch_millis
* setting 'not_analyzed' for types like addr where this makes no sense
* handle container types (table, set, vector)
Any ideas? Has anyone done this before?
Franky
More information about the Bro
mailing list