Existing Bro Deployment feed to Rock

Hello,

I have an existing deployment of Bro / Zeek sensors feeding to Kibana. I am currently using filebeats --> logstash --> ELK. Is there a way to point those sensors to Rock NSM ? Perhaps metron-bro-plugin-kafka ? Just getting my head around the deployment.

Thanks,
Tom


Above is the Current Arch.
Just so I understand this right…
Are you want to add an additional server that is looking at a different location and pipe that into log stash?

yes it is a stock bro sensor with PF_RING.

Thanks,
Tom

Yes you could using Kafka and have it pipe into another index. That being said a good place to start would be the ROCK NSM GitHub and see what you need to adjust on the pfring bro sensor in order to ship it to Kafka.

Ok I will take a look at that one.

Thanks,
Tom