sof-elk icon indicating copy to clipboard operation
sof-elk copied to clipboard

Published 20 hours ago verified publisher icon philhagen

enrich bro dns logs

Open philhagen opened this issue 7 years ago • 2 comments

for any [answer] that is an IP, add to [ips] and grok to [answer_ip] for enrichment? passivedns makes this easy since each answer is its own log entry... may need to split the bro entry to multiple events for parallel handling?

philhagen avatar Mar 15 '17 21:03 philhagen

other option is to use ruby code, but concerned about performance impact

philhagen avatar Mar 17 '17 15:03 philhagen

I've done a few things like this by invoking ruby and the performance has been good. I permanently leave these two config files enabled so I can easily monitor time impacts on logs:

https://github.com/SMAPPER/Logstash-Configs/tree/master/configfiles-OPTIONAL

SMAPPER avatar Mar 17 '17 15:03 SMAPPER

this is handled via other means now. will continue to consider a "time in flight" metadata calculation though

philhagen avatar Nov 16 '23 20:11 philhagen