[Bro] filebeat +elk
Philip Romero
promero at cenic.org
Wed Mar 28 13:57:54 PDT 2018
Erik,
We are using filebeat to feed our bro 2.5.3 logs into logstash for a
small 5 node elastic stack cluster. We're running elastic 6.0.x
currently and are in the process of upgrading to 6.2. This is just a
staring point for us and it seems to be working well. We're not doing
any json output from bro, but the native file format with logstash side
processing is working fine. Below are the files I'm currently feeding
into elastic.
/<bro-path>/logs/current/capture_loss.log
/<bro-path>/logs/current/conn.log
/<bro-path>/logs/current/dns.log
/<bro-path>/logs/current/files.log
/<bro-path>/logs/current/ftp.log
/<bro-path>/logs/current/http.log
/<bro-path>/logs/current/intel.log
/<bro-path>/logs/current/notice.log
/<bro-path>/logs/current/radius.log
/<bro-path>/logs/current/smb_file.logs
/<bro-path>/logs/current/smb_mapping.log
/<bro-path>/logs/current/smtp.log
/<bro-path>/logs/current/software.log
/<bro-path>/logs/current/ssh.log
On 3/28/18 1:42 PM, bro-request at bro.org wrote:
> Op 28/03/2018 om 18:52 schreef erik clark:
>>> I am trying to ingest bro 2.5 json logs into an elk stack, using filebeat
>>> to push the logs. Is that even the best way to do this? I have found MUCH
>>> outdated material on ingesting bro logs into an elk stack, but very little
>>> that is up to date, and some of which is up to date but is using older
>>> versions of software from elastic.co. If anyone has a modern bro/elk
>>> integration document they use(d) to set their environment up, it would be
>>> greatly appreciated if you could share. Thanks!
>>>
>>> Erik
>>>
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180328/790be1a0/attachment.html
More information about the Bro
mailing list