I have a question about the built-in bro grok patterns.
In Bro you can greatly change the fields that are present depending on what scripts/mods/policies you load.
When you look at their log-file docs MOST of the fields are optional. So can grok really do a comprehensive job labeling the fields?
Any help greatly appreciated 
More Info: Question about creating Brobeat
Here are the patterns I am talking about - https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/bro
More clarification: when I stood up a simple test with BRO_HTTP and my logs I saw that it was incorrectly parsing them.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.