Bro and Elasticsearch Integration

First, fix dots in ES 2.4:

Fix dots in field names

Next install Bro ElasticSearch plugin:

Bro ElasticSearch Plugin

with a couple caveats of  you'll need to cd to bro-2.4.1/aux/plugins/elasticsearch before the ./configure && make && make install, and the default plugin dir to install in is bro-install-dir/lib/bro/plugins/.


The below script to use for mappings will set all strings to not analyzed, and ip source and destinations to field type of IP:
curl -XPUT "http://localhost:9200/_template/bro_template" -d'
{
  "template": "bro-*",
    "order": 1,
    "mappings": {
      "_default_": {
      "dynamic_templates": [
        {
          "strings": { 
            "match_mapping_type": "string",
            "mapping": {
              "type": "string",
              "index": "not_analyzed"
                }
              }
            }
          ]
        },
        "bro_ts": {
          "properties": {
            "ts": {
              "type": "date",
              "format": "epoch_millis"
            }
          }
        },  
        "bro_orig_h": {
            "properties": {
            "id.orig_h": {
              "type": "ip"
            }
          }
        },
        "bro_resp_h": {
            "properties": {
              "id.resp_h": {
                "type": "ip"
              }
            }
        },
        "bro_assigned_ip": {
            "properties": {
              "assigned_ip": {
                "type": "ip"
              }
            }
        }
    }
}'