While my bro data to logstash ==> elasticsearch something like:
input {
file {
codec => json
path => "/usr/local/bro/logs/current/*.log"
type => "bro_log"
}
file {
codec => json
path => "/opt/bro/logs/current/*.log"
type => "bro_log"
}
}
filter {
# Parse the `time` attribute as a UNIX timestamp (seconds since epoch)
# and store it in `@timestamp` attribute. This will be used in Kibana later on.
date {
match => [ "ts", "UNIX" ]
}
translate {
field => "conn_state"
destination => "conn_state_full"
dictionary => [
"S0", "Attempt",
"S1", "Established",
"S2", "Originator close only",
"S3", "Responder close only",
"SF", "SYN/FIN completion",
"REJ", "Rejected",
"RSTO", "Originator aborted",
"RSTR", "Responder aborted",
"RSTOS0", "Originator SYN + RST",
"RSTRH", "Responder SYN ACK + RST",
"SH", "Originator SYN + FIN",
"SHR", "Responder SYN ACK + FIN",
"OTH", "Midstream traffic"
]
}
grok {
match => { "path" => ".*\/(?<bro_type>[a-zA-Z0-9]+)\.log$" }
}
}
output {
elasticsearch {
embedded => true
}
}
But there is no data show in opensoc-ui. If I just using kibana , I can see many log data in web.
I want to know which part I can modify to can show something?
"query": "_type:bro_alert" is the bro_alert should be a field in log data, or something we must use different method?
I found in ui bro_data query using :
While my bro data to logstash ==> elasticsearch something like:
But there is no data show in opensoc-ui. If I just using kibana , I can see many log data in web. I want to know which part I can modify to can show something?
"query": "_type:bro_alert"is thebro_alertshould be a field in log data, or something we must use different method?