[Bro] bro elasticsearch plugin + kibana indexing
Daniel Guerra
daniel.guerra69 at gmail.com
Sun Mar 5 04:57:36 PST 2017
##! Load this script to enable global log output to an ElasticSearch database.
module LogElasticSearch;
export {
## An elasticsearch specific rotation interval.
const rotation_interval = 1hr &redef;
## Optionally ignore any :bro:type:`Log::ID` from being sent to
## ElasticSearch with this script.
const excluded_log_ids: set[Log::ID] &redef;
## If you want to explicitly only send certain :bro:type:`Log::ID`
## streams, add them to this set. If the set remains empty, all will
## be sent. The :bro:id:`LogElasticSearch::excluded_log_ids` option
## will remain in effect as well.
const send_logs: set[Log::ID] &redef;
## Set the separator
redef Log::default_scope_sep = "_";
}
> On 05 Mar 2017, at 13:56, Alex Kefallonitis <al.kefallonitis at gmail.com> wrote:
>
> Where do i put this?
>
> redef Log::default_scope_sep = "_”;
>
> Do i have to enable json output to ascii.bro?
>
> 2017-03-05 14:32 GMT+02:00 Daniel Guerra <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>>:
> Don’t forget this in the bro script that starts elasticsearch in the export part
>
> redef Log::default_scope_sep = "_”;
>
>
>> On 05 Mar 2017, at 11:22, Alex Kefallonitis <al.kefallonitis at gmail.com <mailto:al.kefallonitis at gmail.com>> wrote:
>>
>> I do patch src/ElasticSearch.cc <http://elasticsearch.cc/> ./ElasticSearch.cc.patch ./configure && make && make install . Load bro elasticsearch script and restart bro open kibana
>>
>> <image.png>
>>
>> 2017-03-05 12:14 GMT+02:00 Alex Kefallonitis <al.kefallonitis at gmail.com <mailto:al.kefallonitis at gmail.com>>:
>> I try the patch too but still no timestamp appears i am using ELK 5.2.2
>>
>> 2017-03-05 10:27 GMT+02:00 Daniel Guerra <daniel.guerra69 at gmail.com <mailto:daniel.guerra69 at gmail.com>>:
>> Try this
>>
>> https://github.com/danielguerra69/bro-debian-elasticsearch/blob/master/bro-patch/ElasticSearch.cc.patch <https://github.com/danielguerra69/bro-debian-elasticsearch/blob/master/bro-patch/ElasticSearch.cc.patch>
>>
>>
>> > On 05 Mar 2017, at 02:57, Alex Kefallonitis <al.kefallonitis at gmail.com <mailto:al.kefallonitis at gmail.com>> wrote:
>> >
>> > ELK + Kibana not indexing bro logs
>> >
>> > Succesfully installed the plugin and ELK but when i add indexing bro-* , index time-field appears empty (@timestamp) so i cannot use bro logs with kibana search. Anyone have same issue?
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org <mailto:bro at bro-ids.org>
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro <http://mailman.icsi.berkeley.edu/mailman/listinfo/bro>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170305/61d852e9/attachment-0001.html
More information about the Bro
mailing list