And away we go! Snag logstash (https://download.elasticsearch.org/logstash/logstash/logstash-1.2.1-flatjar.jar), make a dir and put it in there, create a file (logstash.conf) and add:
input {
file {
path => "/usr/local/bro/spool/bro/conn.log"
}
}
filter {
grok {
match => [ "message", "%{BASE10NUM:unixtime}\t%{WORD:uid}\t%{IP:src_ip}\t%{BASE10NUM:src_port}\t%{IP:dst_ip}\t%{BASE10NUM:dst_port}\t%{WORD:proto}\t%{USERNAME:service}\t%{USERNAME:sec_dur}\t%{USERNAME:orig_bytes}\t%{USERNAME:resp_bytes}\t%{WORD:conn_state}\t%{WORD:local_orig}\t%{INT:missed_bytes}\t%{WORD:history}\t%{USERNAME:orig_packets}\t%{INT:orig_ip_bytes}\t%{INT:resp_packets}\t%{INT:resp_bytes}\t%{DATA:tun_parent}" ]
}
geoip {
source => "src_ip"
target => "src_geoip"
fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
add_field => [ "coordinates", "%{[src_geoip][longitude]},%{[src_geoip][latitude]}" ]
add_field => [ "srccountry", "%{[src_geoip][country_code2]}"]
}
geoip {
source => "dst_ip"
target => "dst_geoip"
fields => [ "ip", "country_code2", "country_name", "latitude", "longitude" ]
add_field => [ "coordinates", "%{[dst_geoip][longitude]},%{[dst_geoip][latitude]}" ]
add_field => [ "dstcountry", "%{[dst_geoip][country_code2]}"]
}
}
output {
elasticsearch { embedded => true }
}
start with:
sudo java -jar logstash-1.2.2-flatjar.jar agent -f logstash.conf -- web
If you're local on net point your firefox to yourmachine:9292, I needed to tunnel 9200, 9300, and 9301 to get it to work remotely. That's all I got currently..more to come I hope. Enjoy!
James