[Bro] Fwd: smb_files.log, logstash, and kibana

Federico Foschini undicizeri at gmail.com
Tue Aug 7 08:23:57 PDT 2018


Hi Erik,
It’s a very easy thing to do using logstash rewrite filter.
In our infrastructure we have a logstash pipeline that reads every bro
files and adds a tag to them.

input {

    file {
        path => [ "/var/log/bro/logs/current/conn.log" ]
        close_older => 30
        start_position => beginning
        tags => [ "bro", "bro_conn" ]
        id => "input_bro_conn"
    }

file {
        path => [ "/var/log/bro/logs/current/dce_rpc.log" ]
        close_older => 30
        start_position => beginning
        tags => [ "bro", "bro_dce_rpc" ]
        id => "input_bro_dce_rpc"
    }

[...]

Then you can define a rewrite like this:

filter {
       if "bro_smb_files" in [tags] or "bro_smb_mapping" in [tags] {
            mutate {
                rename => { "path" => "smb_path" }
                id => "normalize_bro_smb"
            }

}


Il giorno mar 7 ago 2018 alle ore 16:45 Patrick Kelley <
patrick.kelley at criticalpathsecurity.com> ha scritto:

> We're not really solving Erik's problem by recommending a switch to json.
> If anything, it aggravates the situation as it will throw additional logs
> entry failures on one of the noisiest protocols analyzed.
>
> This activity causes a parsing issue.
>
> The field output from the smb protocol scripts will have to rewrite the
> field name.  I've done this in the past with NB, but I don't recall the
> exact details.
>
>
>
> I'll see what I can rundown from my notes.
>
>
> On Tue, Aug 7, 2018 at 10:11 AM, erik clark <philosnef at gmail.com> wrote:
>
>> Yes, I am using json output.
>>
>>
>> On Tue, Aug 7, 2018 at 9:36 AM, jose antonio izquierdo lopez <
>> jizquierdo at owlh.net> wrote:
>>
>>> Hi, are you using bro - json output? if not maybe this will make your
>>> life easier when integrating with ES.
>>>
>>>
>>>
>>> Best Regards,
>>>
>>> Jose Antonio Izquierdo
>>> m - +34 673 055 255
>>> skype - izquierdo.lopez <https://join.skype.com/invite/aHkpSVL1sz8Q>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Aug 7, 2018 at 2:43 PM erik clark <philosnef at gmail.com> wrote:
>>>
>>>> I have a field name collision on "path". Logstash is pushing into ES a
>>>> field of "path" with the file path on disk to the log being monitored.
>>>>
>>>> In smb_files.log, path refers to the path on disk of the file being
>>>> written by smb. How would this best be resolved?
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *CTO*
> patrick.kelley at criticalpathsecurity.com
> (o) 770-224-6482
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



-- 
Federico Foschini.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180807/b1e3d22f/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Capture.PNG
Type: image/png
Size: 5138 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180807/b1e3d22f/attachment-0001.bin 


More information about the Bro mailing list