aushape icon indicating copy to clipboard operation
aushape copied to clipboard

Published 20 hours ago verified publisher icon Scribery

Implement support for output format, which can easily be forwarded to ElasticSearch

Open spbnick opened this issue 8 years ago • 1 comments
trafficstars

Make sure the basic file output supports a format, which can easily be massaged into an Elasticsearch index or bulk API. This would help users try getting their existing audit logs to Elasticsearch.

Also add instructions for that to README.md.

spbnick avatar Feb 28 '17 13:02 spbnick

After running a local elastic cluster with 3 instances I have used the following commands to add data into elastic after cloning your repo.

curl -v  -H 'Content-Type: application/json' \
    --noproxy <elastic-ip> \
    'http://<elastic-ip>:9403/auditd?pretty' \
    -d '{"mappings":{"aushape":'"$(cat aushape/lib/aushape.mapping.json)"'}}'

while read MYLINE ; do
  curl -v -H 'Content-Type: application/json' \
  --noproxy <elastic-ip> \
  'http://<elastic-ip>:9403/auditd/aushape?pretty' \
  -d "$(echo $MYLINE | aushape -l json --events-per-doc=none --fold=all )"
done < audit.log

git001 avatar Mar 01 '17 09:03 git001