[Bro] Elastic/Filebeat and Bro Logs Inquiry
Philip Romero
promero at cenic.org
Mon Dec 11 15:59:26 PST 2017
All,
I'm in the process of getting Bro logs fed into a new elasticsearch
cluster we're building out and had what I am hoping is a quick and easy
question someone could provide input on. My elasticsearch engineering
team stood up a logstash server to ingest data input from our various
sources, of which Bro is one. I came across the below URL at the elastic
site, which give some direction on an option for getting bro log data
ingested. It was my intention to have filebeat loaded on our Bro serer
and have the "current" log folder monitored for new events, as suggested
in the elastic write-up. My elasticsearch engineering team is a little
concerned about the hourly log rotation process performed in that folder
by bro and how it may impact "live" monitored files.
https://www.elastic.co/blog/bro-ids-elastic-stack
Is there a concern with this way of monitoring bro events? Is there a
"better" way to do this to ensure we don't miss events during the hourly
log rotation process? Were a bit new to this so any pointers would be
appreciated. Thanks.
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
More information about the Bro
mailing list