[Bro] script to extract elastic search mapping from header of bro-logs
Johanna Amann
johanna at icir.org
Wed Apr 26 05:10:04 PDT 2017
Hi,
in case you are talking about importing a Bro ASCII log into the database
- I did something like that for Postgres once. My script automatically
created tables with the right types (including stuff like inet), and
converted sets and vectors to postgres arrays.
Source is at https://github.com/0xxon/bro-utils
Johanna
On Wed, Apr 26, 2017 at 08:14:39AM +0200, Frank Meier wrote:
> Hello,
>
> many of us use Elastic Search as a sink for bro-logs. I am thinking
> about written a script to extract the correct mapping from the bro
> header.
>
> This would mean:
> * mapping data types:
> string, addr, enum -> string
> int, count, port -> long
> interval, double -> double
> time -> epoch_millis
> * setting 'not_analyzed' for types like addr where this makes no sense
> * handle container types (table, set, vector)
>
> Any ideas? Has anyone done this before?
>
> Franky
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list