Bro 2.5.1 and ELK

Software versions:

• Bro 2.5.1 – on Debian 8.9 bro server
• Logstash 2.2.4 on Debian 8.9 bro server
• Elasticsearch 2.4.6 on Debian 8.9 ELK server
• Kibana 4.3.0.9369 on Debian 8.9 ELK server

First install Java on both systems:

sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer

Next install Elasticsearch:

wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb http://packages.elastic.co/elasticsearch/2.x/debian stable main" | sudo tee -a /etc/apt/sources.list.d/elasticsearch-2.x.list
sudo apt-get update
sudo apt-get -y install elasticsearch

Edit /etc/elasticsearch/elasticsearch.yml and change the network.host from ‘localhost’ to the IP of your server.  Then start Elasticsearch.

systemctl enable elasticsearch && systemctl start elasticsearch

Install Kibana:

echo "deb http://packages.elastic.co/kibana/4.4/debian stable main" | sudo tee -a /etc/apt/sources.list.d/kibana-4.4.x.list
sudo apt-get update
sudo apt-get -y install kibana

Edit /opt/kibana/config/kibana.yml and change server.host from ‘localhost’ to your IP.  Then start Kibana.

systemctl enable kibana && systemctl start kibana

Install Logstash:

echo 'deb http://packages.elastic.co/logstash/2.2/debian stable main' | sudo tee /etc/apt/sources.list.d/logstash-2.2.x.list
sudo apt-get update
sudo apt-get install logstash

Grab these files.

cd /etc/logstash/conf.d
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-conn_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-dns_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-files_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-http_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-intel_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-notice_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-ssh_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-ssl_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-tunnel_log.conf
wget https://github.com/mattclemons/logstash-bro251/blob/master/bro-x509_log.conf

Mod them to point to your bro logs, and the IP of Elasticsearch.

Test the logstash config.

/opt/logstash/bin/logstash agent -f /etc/logstash/conf.d --configtest

And start it.

systemctl enable logstash && systemctl start logstash

Check /var/log/logstash/logstash.log for errors.  It’s fun!

References:

http://knowm.org/integrate-bro-ids-with-elk-stack/  <– modded this person’s configs to include and rename new bro 2.5.1 fields.
http://brostash.herokuapp.com/  <– cool if you want to use patterns.
https://www.elastic.co/blog/bro-ids-elastic-stack