ELK + Kibana not indexing bro logs
Succesfully installed the plugin and ELK but when i add indexing bro-* , index time-field appears empty (@timestamp) so i cannot use bro logs with kibana search. Anyone have same issue?
I try the patch too but still no timestamp appears i am using ELK 5.2.2
It does work. You have to send data first.
Can you show your json output ?
Don’t forget this in the bro script that starts elasticsearch in the export part
redef Log::default_scope_sep = "_”;
Where do i put this?
redef Log::default_scope_sep = "_”;
Do i have to enable json output to ascii.bro?
##! Load this script to enable global log output to an ElasticSearch database.
module LogElasticSearch;
export {
An elasticsearch specific rotation interval.
const rotation_interval = 1hr &redef;
Optionally ignore any :bro:type:Log::ID from being sent to
ElasticSearch with this script.
const excluded_log_ids: set[Log::ID] &redef;
If you want to explicitly only send certain :bro:type:Log::ID
streams, add them to this set. If the set remains empty, all will
be sent. The :bro:id:LogElasticSearch::excluded_log_ids option
will remain in effect as well.
const send_logs: set[Log::ID] &redef;
Set the separator
redef Log::default_scope_sep = “_”;
}
The patch wasn’t used, your timestamp is not in TS_ISO8601 but in TS_MILIS
And your separator is a “.” not a “_"
Check my docker
https://hub.docker.com/r/danielguerra/bro-debian-elasticsearch/
How TS_ISO8601 timestamp looks like? I ll try to recompile maybe i didn’t apply the patch correctly. Thanks again a lot for your help
Google for it 