[Bro] filebeat +elk

erik clark philosnef at gmail.com
Thu Mar 29 06:24:41 PDT 2018 

I ended up using logstash, rsyslog, es, and kibana. Next up, using Yelps
elastalert! Thank you all for your assistance!



On Wed, Mar 28, 2018 at 2:45 PM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:

> [image: image1.jpeg]
>
> On Mar 28, 2018, at 11:23 AM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
>
> No guarantees, but this[1] may be helpful.  I've recently moved to pushing
> things to kafka using this[2], which eventually feeds into ES using Apache
> Metron which adds some other benefits but is meant for large scale
> environments (i.e. it is definitely _not_ lightweight).
>
> 1:  https://github.com/bro/bro-plugins/tree/00d039442b97ba545e6020200d96a3
> cba9d9181b/elasticsearch
> 2:  https://github.com/apache/metron-bro-plugin-kafka
>
> Jon
>
> On Wed, Mar 28, 2018 at 2:21 PM erik clark <philosnef at gmail.com> wrote:
>
>> I just need to get it into ES. I am going to pump eve.json in as well. I
>> have no experience with the ELK stack at all, other than some ES work from
>> dealing with moloch content going in there and configuring it appropriately.
>> If I can just bypass everything and push eve.json and bro json logs
>> directly in, that would be fantastic.
>>
>> Thanks Jon!
>>
>> On Wed, Mar 28, 2018 at 1:09 PM, Zeolla at GMail.com <zeolla at gmail.com>
>> wrote:
>>
>>> Do you specifically need to send it to logstash or do you just need it
>>> to get inserted into elasticsearch?
>>>
>>> Jon
>>>
>>> On Wed, Mar 28, 2018 at 1:07 PM erik clark <philosnef at gmail.com> wrote:
>>>
>>>> I am trying to ingest bro 2.5 json logs into an elk stack, using
>>>> filebeat to push the logs. Is that even the best way to do this? I have
>>>> found MUCH outdated material on ingesting bro logs into an elk stack, but
>>>> very little that is up to date, and some of which is up to date but is
>>>> using older versions of software from elastic.co. If anyone has a
>>>> modern bro/elk integration document they use(d) to set their environment
>>>> up, it would be greatly appreciated if you could share. Thanks!
>>>>
>>>> Erik
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>> --
>>>
>>> Jon
>>>
>>
>> --
>
> Jon
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180329/5cd1acea/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image1.jpeg
Type: image/jpeg
Size: 64259 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180329/5cd1acea/attachment-0001.jpeg

More information about the Bro mailing list