[Bro] Elastic/Filebeat and Bro Logs Inquiry
Munroe Sollog
mus3 at lehigh.edu
Tue Dec 12 05:13:55 PST 2017
Take a look at NSQ. Both Bro and Logstash support using it to transport
messages.
On Mon, Dec 11, 2017 at 6:59 PM, Philip Romero <promero at cenic.org> wrote:
> All,
>
> I'm in the process of getting Bro logs fed into a new elasticsearch
> cluster we're building out and had what I am hoping is a quick and easy
> question someone could provide input on. My elasticsearch engineering
> team stood up a logstash server to ingest data input from our various
> sources, of which Bro is one. I came across the below URL at the elastic
> site, which give some direction on an option for getting bro log data
> ingested. It was my intention to have filebeat loaded on our Bro serer
> and have the "current" log folder monitored for new events, as suggested
> in the elastic write-up. My elasticsearch engineering team is a little
> concerned about the hourly log rotation process performed in that folder
> by bro and how it may impact "live" monitored files.
>
> https://www.elastic.co/blog/bro-ids-elastic-stack
>
> Is there a concern with this way of monitoring bro events? Is there a
> "better" way to do this to ensure we don't miss events during the hourly
> log rotation process? Were a bit new to this so any pointers would be
> appreciated. Thanks.
>
> --
> Philip Romero, CISSP, CISA
> Sr. Information Security Analyst
> CENIC
> promero at cenic.org
> Phone: (714) 220-3430
> Mobile: (562) 237-9290
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Munroe Sollog
Senior Network Engineer
munroe at lehigh.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171212/329059dc/attachment.html
More information about the Bro
mailing list