Are you assuming only Conn, DNS, and HTTP logs from Bro? Right now I think that's all that is supported by default. I put something together <https://github.com/JonZeolla/incubator-metron/commit/736cc39525f9f08f6e781faea2610e893327e74c> a few months ago to handle all of the default-on Bro logs/fields (METRON-508 <https://issues.apache.org/jira/browse/METRON-508>), but haven't had a chance to test and make a PR.
Jon On Wed, Mar 1, 2017 at 8:21 AM Justin Leet <justinjl...@gmail.com> wrote: > Similar to the YAF dashboard from https://issues.apache. > org/jira/browse/METRON-676, it would be nice to have a similar Zeppelin > dashboard for Bro. > > Couple topics we can include > > - Number of total queries per hour > - Geo-location frequency > - Top sites requests vs non-top requests > > The Alexa requests tie in with https://issues.apache. > org/jira/browse/METRON-709, specifically the part about modifying Bro > configs to use the data. There's been some discussion on where that lives > and how it's managed, so we won't be able to do much with it right now. > > Is there anything else we'd consider essential in our first pass? Or > anything we'd like to iterate on in the future? I'm not an expert in how > Bro data actually looks in practice, so I'd love to get some input on > features that would be nice to have. > > For these types of dashboards, there's also the question of, using top > sites as an example, of "If this user doesn't have top sites data, is there > anything we can do in Zeppelin about hiding or not displaying that > paragraph?". I don't believe there's a built in way to handle that (but > again, I could be wrong), so it might involve being a bit more verbose in > what we actually do in the paragraphs. > > Justin > -- Jon Sent from my mobile device
