redef LogElasticSearch variables

Let me preface this with “I have no idea what I’m doing”.

I want to test out Bro’s native elasticsearch writer…I found that there appear to be two files for this module:

bro/base/frameworks/logging/writers/elasticsearch.bro
bro/policy/tuning/logs-to-elasticsearch.bro

Both of them specify that the module is called “LogElasticSearch”…Is that a problem? At any rate…

I want to specify an ElasticSearch server that is not local. I didn’t see any documentation on this, but saw that elasticsearch.bro has variables like “server_host”. Seems like this would be the thing to change…So, I tried:

@load tuning/logs-to-elasticsearch
redef LogElasticSearch::server_host = “10.10.10.10”

It appears that broctl does not like this invocation. Specifically it chokes and says:

error in /usr/local/bro/share/bro/policy/frameworks/communication/listen.bro, line 6: syntax error, at or near “module”

Which is weird…If I put additional redef’s:

@load tuning/logs-to-elasticsearch
redef LogElasticSearch::server_host = “10.9.12.26”
redef LogElasticSearch::server_port= 9200

I then get:

error in /usr/local/bro/share/bro/site/local.bro, line 113: syntax error, at or near “redef”

(line 113 is the last redef of server_port).

So…What am I doing wrong and how do I configure this plugin to point to another host? Is that book on brogramming out yet? :stuck_out_tongue:

Cheers,

Jesse

The redef line is missing a semicolon. The error when you leave off a
semicolon can be confusing since you get the error after that line.

bro/base/frameworks/logging/writers/elasticsearch.bro

This is the script level support for the elasticsearch writer.

bro/policy/tuning/logs-to-elasticsearch.bro

This is a utility script to help you send your logs to ElasticSearch. It has some tuning options so you can choose if you only want to send certain logs.

Both of them specify that the module is called "LogElasticSearch"...Is that a problem? At any rate…


Defining a module only sets that to your current namespace. You can define it multiple times.

I believe Justin answered the rest of your question. :slight_smile:

  .Seth

Ah yes, syntax… :slight_smile:

Thank you all, that checks out ok.

Cheers,

Jesse

Classification: UNCLASSIFIED
Caveats: NONE

Seth,

We spoke at the 2012 Bro Exchange about how Bro can be used on a filesystem of a host or such, brain a bit fuzzy this early in the morning at 10:36 :slight_smile: Could you expand on the topic a bit/point me in the right direction?

Thanks,

SSG Charles "Chuck" A. Fair (not a CISSP, but passed the test)
Information Systems/Information Assurance NCO
Information Technology Training Center, PEC, Camp Robinson AR

Classification: UNCLASSIFIED
Caveats: NONE

How are you looking to use it? We have the input framework in 2.1 for reading from inputs that we have plugins for (essentially only Bro logs and text files right now). We may have quite a bit more functionality regarding that in 2.2.

  .Seth

Classification: UNCLASSIFIED
Caveats: NONE

If I understand correctly, the input framework is the way that log files,
for instance from a host, can be ingested by Bro? One of the things I was
interested in doing was identifying key information from a log, such as a MS
Windows Event log, via event viewer to syslog, with network traffic. This
would be similar to how Bro can analyze SSL Certs.

What I was wondering about was what could Bro do with a filesystem beyond
log files? An example on a MS system would be identifying the last run time
of a file via prefetch data that was communicating over a socket, that was
identified by Bro. Of course this is assuming that Bro has access to the
filesystem of the system in question.

Regards,

SSG Charles "Chuck" A. Fair
Information Systems/Information Assurance NCO
Information Technology Training Center, PEC, Camp Robinson AR

If I understand correctly, the input framework is the way that log files,
for instance from a host, can be ingested by Bro?


It's a bit more comprehensive than that since the input framework is plugin based and we will be releasing plugins for more things over time (databases, etc).

One of the things I was
interested in doing was identifying key information from a log, such as a MS
Windows Event log, via event viewer to syslog, with network traffic.

I don't want to talk about it publicly yet because things are still a little unclear, but I've been having concrete discussions with a couple of people related to this functionality. It's definitely on our radar.

  .Seth