All,
I'm in the process of getting Bro logs fed into a new elasticsearch cluster we're building out and had what I am hoping is a quick and easy question someone could provide input on. My elasticsearch engineering team stood up a logstash server to ingest data input from our various sources, of which Bro is one. I came across the below URL at the elastic site, which give some direction on an option for getting bro log data ingested. It was my intention to have filebeat loaded on our Bro serer and have the "current" log folder monitored for new events, as suggested in the elastic write-up. My elasticsearch engineering team is a little concerned about the hourly log rotation process performed in that folder by bro and how it may impact "live" monitored files.
https://www.elastic.co/blog/bro-ids-elastic-stack
Is there a concern with this way of monitoring bro events? Is there a "better" way to do this to ensure we don't miss events during the hourly log rotation process? Were a bit new to this so any pointers would be appreciated. Thanks.