:tocdepth: 3

base/frameworks/logging/writers/elasticsearch.bro
=================================================
.. bro:namespace:: LogElasticSearch

Log writer for sending logs to an ElasticSearch server.

Note: This module is in testing and is not yet considered stable!

There is one known memory issue.  If your elasticsearch server is
running slowly and taking too long to return from bulk insert
requests, the message queue to the writer thread will continue
growing larger and larger giving the appearance of a memory leak.

:Namespace: LogElasticSearch
:Source File: :download:`/scripts/base/frameworks/logging/writers/elasticsearch.bro`

Summary
~~~~~~~
Options
#######
======================================================================================= ======================================================================
:bro:id:`LogElasticSearch::cluster_name`: :bro:type:`string` :bro:attr:`&redef`         Name of the ES cluster.
:bro:id:`LogElasticSearch::index_prefix`: :bro:type:`string` :bro:attr:`&redef`         Name of the ES index.
:bro:id:`LogElasticSearch::max_batch_interval`: :bro:type:`interval` :bro:attr:`&redef` The maximum amount of wall-clock time that is allowed to pass without
                                                                                        finishing a bulk log send.
:bro:id:`LogElasticSearch::max_batch_size`: :bro:type:`count` :bro:attr:`&redef`        The batch size is the number of messages that will be queued up before
                                                                                        they are sent to be bulk indexed.
:bro:id:`LogElasticSearch::max_byte_size`: :bro:type:`count` :bro:attr:`&redef`         The maximum byte size for a buffered JSON string to send to the bulk
                                                                                        insert API.
:bro:id:`LogElasticSearch::server_host`: :bro:type:`string` :bro:attr:`&redef`          ES server.
:bro:id:`LogElasticSearch::server_port`: :bro:type:`count` :bro:attr:`&redef`           ES port.
:bro:id:`LogElasticSearch::type_prefix`: :bro:type:`string` :bro:attr:`&redef`          The ES type prefix comes before the name of the related log.
======================================================================================= ======================================================================

Constants
#########
================================================================== =======================================================
:bro:id:`LogElasticSearch::transfer_timeout`: :bro:type:`interval` The time before an ElasticSearch transfer will timeout.
================================================================== =======================================================


Detailed Interface
~~~~~~~~~~~~~~~~~~
Options
#######
.. bro:id:: LogElasticSearch::cluster_name

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``"elasticsearch"``

   Name of the ES cluster.

.. bro:id:: LogElasticSearch::index_prefix

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``"bro"``

   Name of the ES index.

.. bro:id:: LogElasticSearch::max_batch_interval

   :Type: :bro:type:`interval`
   :Attributes: :bro:attr:`&redef`
   :Default: ``1.0 min``

   The maximum amount of wall-clock time that is allowed to pass without
   finishing a bulk log send.  This represents the maximum delay you
   would like to have with your logs before they are sent to ElasticSearch.

.. bro:id:: LogElasticSearch::max_batch_size

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``1000``

   The batch size is the number of messages that will be queued up before
   they are sent to be bulk indexed.

.. bro:id:: LogElasticSearch::max_byte_size

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``1048576``

   The maximum byte size for a buffered JSON string to send to the bulk
   insert API.

.. bro:id:: LogElasticSearch::server_host

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``""``

   ES server.

.. bro:id:: LogElasticSearch::server_port

   :Type: :bro:type:`count`
   :Attributes: :bro:attr:`&redef`
   :Default: ``9200``

   ES port.

.. bro:id:: LogElasticSearch::type_prefix

   :Type: :bro:type:`string`
   :Attributes: :bro:attr:`&redef`
   :Default: ``""``

   The ES type prefix comes before the name of the related log.
   e.g. prefix = "bro\_" would create types of bro_dns, bro_software, etc.

Constants
#########
.. bro:id:: LogElasticSearch::transfer_timeout

   :Type: :bro:type:`interval`
   :Default: ``2.0 secs``

   The time before an ElasticSearch transfer will timeout. Note that
   the fractional part of the timeout will be ignored. In particular,
   time specifications less than a second result in a timeout value of
   0, which means "no timeout."


