hillar/heka_bro.toml

## heka_bro.toml
[LogstreamerInput]
log_directory = "/var/log/bro"
file_match = '.*\.log'
priority = ["^conn"]
decoder = "Json"
## see https://www.bro.org/sphinx-git/scripts/policy/tuning/json-logs.bro.html?highlight=json
#echo "@load tuning/json-logs" >> /usr/share/bro/site/local.bro
#echo "redef LogAscii::json_timestamps = JSON::TS_ISO8601;" >> /usr/share/bro/site/local.bro

[Json]
type = "SandboxDecoder"
#wget https://gist.githubusercontent.com/hillar/859a5b802ee8d0ff988a/raw/82d96c45a905f6b18613cf1c6448e49f0655cffe/flatten_json.lua
#mv flatten_json.lua /usr/share/heka/
filename = "flatten_json.lua"
[Json.config]
type = "raw.bro"
debug = false

[ESJsonEncoder]
index = "%{Type}-%{2006.01.02}"
es_index_from_timestamp = true
type_name = "%{Type}"

[ElasticSearchOutput]
message_matcher = "Type =~ /.*bro$/"
server = "http://localhost:9200"
flush_interval = 5000
flush_count = 100
encoder = "ESJsonEncoder"
	[LogstreamerInput]
	log_directory = "/var/log/bro"
	file_match = '.*\.log'
	priority = ["^conn"]
	decoder = "Json"
	## see https://www.bro.org/sphinx-git/scripts/policy/tuning/json-logs.bro.html?highlight=json
	#echo "@load tuning/json-logs" >> /usr/share/bro/site/local.bro
	#echo "redef LogAscii::json_timestamps = JSON::TS_ISO8601;" >> /usr/share/bro/site/local.bro

	[Json]
	type = "SandboxDecoder"
	#wget https://gist.githubusercontent.com/hillar/859a5b802ee8d0ff988a/raw/82d96c45a905f6b18613cf1c6448e49f0655cffe/flatten_json.lua
	#mv flatten_json.lua /usr/share/heka/
	filename = "flatten_json.lua"
	[Json.config]
	type = "raw.bro"
	debug = false

	[ESJsonEncoder]
	index = "%{Type}-%{2006.01.02}"
	es_index_from_timestamp = true
	type_name = "%{Type}"

	[ElasticSearchOutput]
	message_matcher = "Type =~ /.*bro$/"
	server = "http://localhost:9200"
	flush_interval = 5000
	flush_count = 100
	encoder = "ESJsonEncoder"