[Bro] script to extract elastic search mapping from header of bro-logs
Vlad Grigorescu
vladg at illinois.edu
Fri Apr 28 07:55:05 PDT 2017
ElasticSearch gets difficult, because there's a lot of context-specific
data that should be captured too, especially when it comes to indexing.
For example, I liked to index domain names with a reverse-path
tokenization on '.' as the delimeter, so that www.ncsa.illinois.edu will
show up in searches for "edu," "illinois.edu," "ncsa.illinois.edu," and
"www.ncsa.illinois.edu." Capturing this context can be very tricky, and
I don't think that it's currently available in the ASCII logs.
I'd be curious if anyone has thoughts on how to improve this.
--Vlad
Frank Meier <franky.meier.1 at gmx.de> writes:
> Hi,
>
> On Wed, 26 Apr 2017 05:10:04 -0700 Johanna Amann <johanna at icir.org>
> wrote:
>
>> Hi,
>>
>> in case you are talking about importing a Bro ASCII log into the
>> database
>> - I did something like that for Postgres once. My script automatically
>> created tables with the right types (including stuff like inet), and
>> converted sets and vectors to postgres arrays.
>>
>
> thanks, that's what I was thinking about.
>
> Franky
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170428/454f776b/attachment.bin
More information about the Bro
mailing list