Implement support for output format, which can easily be forwarded to ElasticSearch

Question

Implement support for output format, which can easily be forwarded to ElasticSearch

spbnick opened this issue 8 years ago · 1 comments

Make sure the basic file output supports a format, which can easily be
massaged into an Elasticsearch index or bulk API. This would help users try
getting their existing audit logs to Elasticsearch.

Also add instructions for that to README.md.

Answer 1 · 2017-03-01T09:46:28.000Z

After running a local elastic cluster with 3 instances I have used the following commands to add data into elastic after cloning your repo.

curl -v  -H 'Content-Type: application/json' \
    --noproxy <elastic-ip> \
    'http://<elastic-ip>:9403/auditd?pretty' \
    -d '{"mappings":{"aushape":'"$(cat aushape/lib/aushape.mapping.json)"'}}'

while read MYLINE ; do
  curl -v -H 'Content-Type: application/json' \
  --noproxy <elastic-ip> \
  'http://<elastic-ip>:9403/auditd/aushape?pretty' \
  -d "$(echo $MYLINE | aushape -l json --events-per-doc=none --fold=all )"
done < audit.log