[Bro] bro elasticsearch plugin + kibana indexing
Alex Kefallonitis
al.kefallonitis at gmail.com
Sun Mar 5 04:56:48 PST 2017
Where do i put this?
redef Log::default_scope_sep = "_”;
Do i have to enable json output to ascii.bro?
2017-03-05 14:32 GMT+02:00 Daniel Guerra <daniel.guerra69 at gmail.com>:
> Don’t forget this in the bro script that starts elasticsearch in the
> export part
>
> redef Log::default_scope_sep = "_”;
>
>
> On 05 Mar 2017, at 11:22, Alex Kefallonitis <al.kefallonitis at gmail.com>
> wrote:
>
> I do patch src/ElasticSearch.cc <http://elasticsearch.cc>
> ./ElasticSearch.cc.patch ./configure && make && make install . Load bro
> elasticsearch script and restart bro open kibana
>
> <image.png>
>
> 2017-03-05 12:14 GMT+02:00 Alex Kefallonitis <al.kefallonitis at gmail.com>:
>
>> I try the patch too but still no timestamp appears i am using ELK 5.2.2
>>
>> 2017-03-05 10:27 GMT+02:00 Daniel Guerra <daniel.guerra69 at gmail.com>:
>>
>>> Try this
>>>
>>> https://github.com/danielguerra69/bro-debian-elasticsearch/b
>>> lob/master/bro-patch/ElasticSearch.cc.patch
>>>
>>>
>>> > On 05 Mar 2017, at 02:57, Alex Kefallonitis <al.kefallonitis at gmail.com>
>>> wrote:
>>> >
>>> > ELK + Kibana not indexing bro logs
>>> >
>>> > Succesfully installed the plugin and ELK but when i add indexing bro-*
>>> , index time-field appears empty (@timestamp) so i cannot use bro logs with
>>> kibana search. Anyone have same issue?
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170305/0cc71b77/attachment.html
More information about the Bro
mailing list