This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # encoding: utf-8 # *NOTE*: I have no idea what I'm doing and this is untested. Use at your own risk | |
| # (though I welcome assistance) | |
| require "logstash/filters/base" | |
| require "logstash/namespace" | |
| require "csv" | |
| require "bigdecimal" | |
| # The Bro filter takes an event field containing Bro log data, parses it, |
dcode
/ gist:afb3f21c0dd5801ad540
Created
October 29, 2014 23:56
bro log to pipe separated values (PSV) w/ camelcase headers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bro-cut -uc -F'|' | grep -E '^#fields|^2014' | sed 's/^#fields|//' | sed -e '1s/\./_/g' -e '1s/_\([a-z]\)/\u\1/g' |
dcode
/ gist:21a3bdff757f81e9be95
Created
March 23, 2015 20:02
Gource, fed from bro conn.log in real-time.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # See details in this blog entry: | |
| # http://www.echothrust.com/blogs/monitoring-pf-logs-gource | |
| ssh sensor01 "stdbuf -i0 -o0 -e0 tail -F -n +1 /var/opt/bro/logs/current/conn.log | stdbuf -i0 -o0 -e0 /opt/bro/bin/bro-cut -F\| ts id.orig_h id.resp_h id.resp_p proto" | stdbuf -i0 -o0 -e0 awk -F\| -vOFS=\| '{ gsub(/\..+/, "", $1); print $1, $2, "A", "/"$3"/"$2"/"$2":"$5"."$4,"#FF00ff"}' | ./gource --multi-sampling --no-vsync --title "bro conn activity" --key --realtime --highlight-users --highlight-dirs --user-friction 0.2 --user-scale 0.8 --log-format custom --disable-auto-rotate -i 0 - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $1 ~ /#fields.*/ { print $0 "\tend"; next }; | |
| $1 ~ /#types/ { print $0 "\ttime"; next }; | |
| $1 ~ /^#.*/ { print $0; next}; | |
| $1 ~ /^[^#]/ { OFMT="%.16g"; print $0, $1+$9 } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Init script for kibana | |
| # Maintained by | |
| # Generated by pleaserun. | |
| # Implemented based on LSB Core 3.1: | |
| # * Sections: 20.2, 20.3 | |
| # | |
| ### BEGIN INIT INFO | |
| # Provides: kibana | |
| # Required-Start: $remote_fs $syslog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user="root" | |
| group="root" | |
| chroot="/" | |
| chdir="/" | |
| nice="" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| You just need to save that to rpm2cpio.sh, make it executable, and then | |
| run | |
| rpm2cpio rpm-4.1.1-1.7x.src.rpm | cpio -idv | |
| Source: http://www.redhat.com/archives/rpm-list/2003-June/msg00367.html |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { path => ["/var/opt/bro/logs/current/*.log"] type => "bro" } | |
| } | |
| filter { | |
| if [type] == "bro" { | |
| bro { } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Notice tail | |
| stdbuf -o0 tail -n+1 -F notice.log \ | |
| | stdbuf -o0 bro-cut -d ts note msg \ | |
| | awk -F'\t' '{ print "================\n" $1, $2"\n", $3 }' | |
| # HTTP Tail | |
| stdbuf -o0 tail -n+1 -F http.log \ | |
| | stdbuf -o0 bro-cut id.orig_h uri user_agent \ | |
| | awk -F'\t' '{ print "=================\n" $1, $2"\n", $3 }' | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This logstash config was created for the Logstash 1.5 beta, but I think should work on 1.4.x | |
| # Rename it to .conf, I think. I put .rb for formatting in Gist | |
| input { | |
| file { | |
| path => '/nsm/bro/logs/current/*.log' | |
| codec => "json" | |
| start_position => "beginning" | |
| type => "bro" | |
| # The @metadata field is for logstash internal tracking only |