[Bro] filebeat +elk

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Wed Mar 28 11:14:11 PDT 2018 

Michał,

It's not cool to assume the role of defining how others give away their
personal time and efforts. I'm sure you'll manage just fine with my pushing
unpolished notes to a particular person, as opposed to mass transmitting
what could be a complete "goat rodeo" for everyone else.

The "community" worked just fine.  A person had a need.  They asked.  It
was filled.

Go have a coke and a smile.

-PK


On Wed, Mar 28, 2018 at 1:52 PM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:

> Sending details outside of the mailing list is not cool and against what
> the open source community stands for.
>
> Anyway, we’ve had a great success with taking Bro JSON logs and shipping
> them over to RabbitMQ with syslog-ng (no parsing done on the syslog-ng
> side) and fetching those with MozDef workers (which are python).
>
> 6k eps no sweat.
>
>
> On Mar 28, 2018, at 10:28 AM, Patrick Kelley <pkelley at hyperionavenue.com>
> wrote:
>
> Erik,
>
> I’m doing this with Ubuntu and Pi devices. I’ll send you all of my notes
> outside of the main channel.
>
> *Patrick Kelley, CISSP, C|EH, ITIL*
> *Principal Security Engineer*
> patrick.kelley at criticalpathsecurity.com
>
>
> On Mar 28, 2018, at 1:09 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
>
> Do you specifically need to send it to logstash or do you just need it to
> get inserted into elasticsearch?
>
> Jon
>
> On Wed, Mar 28, 2018 at 1:07 PM erik clark <philosnef at gmail.com> wrote:
>
>> I am trying to ingest bro 2.5 json logs into an elk stack, using filebeat
>> to push the logs. Is that even the best way to do this? I have found MUCH
>> outdated material on ingesting bro logs into an elk stack, but very little
>> that is up to date, and some of which is up to date but is using older
>> versions of software from elastic.co. If anyone has a modern bro/elk
>> integration document they use(d) to set their environment up, it would be
>> greatly appreciated if you could share. Thanks!
>>
>> Erik
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 

*Patrick Kelley, CISSP, C|EH, ITIL*
*CTO*
patrick.kelley at criticalpathsecurity.com
(o) 770-224-6482
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180328/937cab7a/attachment-0001.html

More information about the Bro mailing list