Last active
August 29, 2015 14:20
-
-
Save dcode/cfc0aa6f5c141648a2c5 to your computer and use it in GitHub Desktop.
Bro ASCII logs in JSON
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This logstash config was created for the Logstash 1.5 beta, but I think should work on 1.4.x | |
| # Rename it to .conf, I think. I put .rb for formatting in Gist | |
| input { | |
| file { | |
| path => '/nsm/bro/logs/current/*.log' | |
| codec => "json" | |
| start_position => "beginning" | |
| type => "bro" | |
| # The @metadata field is for logstash internal tracking only | |
| add_field => { "[@metadata][source]" => "bro_files" } | |
| } | |
| } | |
| filter { | |
| if [@metadata][source] == "bro_files" { | |
| # This parses the 'ts' field into @timestamp, but we leave the original ts field as-is for better precision | |
| date { | |
| match => ["ts", "ISO8601"] | |
| } | |
| # This ruby code just cleans up the filename to get the bro log name | |
| ruby { | |
| code => "event['path'] = event['path'].split('/')[-1].split('.')[0]" | |
| } | |
| } | |
| } | |
| output { | |
| if [@metadata][source] == "bro_files" { | |
| # This is for debug only | |
| stdout { codec => rubydebug } | |
| # This assumes elasticsearch with default settings on localhost | |
| elasticsearch { } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @load tuning/json-logs | |
| redef LogAscii::json_timestamps = JSON::TS_ISO8601; | |
| redef LogAscii::use_json = T; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment