mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
36 lines
1.1 KiB
Text
36 lines
1.1 KiB
Text
##! Load this script to enable global log output to an ElasticSearch database.
|
|
|
|
module LogElasticSearch;
|
|
|
|
export {
|
|
## An elasticsearch specific rotation interval.
|
|
const rotation_interval = 3hr &redef;
|
|
|
|
## Optionally ignore any :bro:type:`Log::ID` from being sent to
|
|
## ElasticSearch with this script.
|
|
const excluded_log_ids: set[Log::ID] &redef;
|
|
|
|
## If you want to explicitly only send certain :bro:type:`Log::ID`
|
|
## streams, add them to this set. If the set remains empty, all will
|
|
## be sent. The :bro:id:`LogElasticSearch::excluded_log_ids` option will remain in
|
|
## effect as well.
|
|
const send_logs: set[Log::ID] &redef;
|
|
}
|
|
|
|
event bro_init() &priority=-5
|
|
{
|
|
if ( server_host == "" )
|
|
return;
|
|
|
|
for ( stream_id in Log::active_streams )
|
|
{
|
|
if ( stream_id in excluded_log_ids ||
|
|
(|send_logs| > 0 && stream_id !in send_logs) )
|
|
next;
|
|
|
|
local filter: Log::Filter = [$name = "default-es",
|
|
$writer = Log::WRITER_ELASTICSEARCH,
|
|
$interv = LogElasticSearch::rotation_interval];
|
|
Log::add_filter(stream_id, filter);
|
|
}
|
|
}
|