[Bro] logstash rewrite

[erik clark]

 Federico, I tried as suggested, but then I get this:



(in the message)  "path":"\u005c\u005cgs500s-file\u005caetd-startup"

(in the smb_path in kibana): *t* smb_path
/opt/bro/logs/current/smb_files.log
(in the tags):


tags
bro, bro_smb_files, _geoip_lookup_failure
Here are my mutates:
file { path => [ "/opt/bro/logs/current/smb_files.log" ] close_older => 30
start_position => beginning tags => [ "bro", "bro_smb_files" ] id =>
"input_bro_smb_files" } file { path => [
"/opt/bro/logs/current/smb_mapping.log" ] close_older => 30 start_position
=> beginning tags => [ "bro", "bro_smb_mapping" ] id =>
"input_bro_smb_mapping" } } filter { if "bro_smb_files" in [tags] { mutate
{ rename => { "path" => "smb_path" } id => "normalize_bro_smb" } } if
"bro_smb_mapping" in [tags] { mutate { rename => { "path" => "smb_map_path"
} id => "normalize_bro_smb" } }

---
Hi Erik,
It?s a very easy thing to do using logstash rewrite filter.
In our infrastructure we have a logstash pipeline that reads every bro
files and adds a tag to them.

input {

    file {
        path => [ "/var/log/bro/logs/current/conn.log" ]
        close_older => 30
        start_position => beginning
        tags => [ "bro", "bro_conn" ]
        id => "input_bro_conn"
    }

file {
        path => [ "/var/log/bro/logs/current/dce_rpc.log" ]
        close_older => 30
        start_position => beginning
        tags => [ "bro", "bro_dce_rpc" ]
        id => "input_bro_dce_rpc"
    }

[...]

Then you can define a rewrite like this:

filter {
       if "bro_smb_files" in [tags] or "bro_smb_mapping" in [tags] {
            mutate {
                rename => { "path" => "smb_path" }
                id => "normalize_bro_smb"
            }

}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180815/9d0b2989/attachment-0001.html