Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OUI vendor names used by Logstash don't match those used by Moloch #82

Closed
mmguero opened this issue Nov 18, 2019 · 0 comments
Closed

OUI vendor names used by Logstash don't match those used by Moloch #82

mmguero opened this issue Nov 18, 2019 · 0 comments

Comments

@mmguero
Copy link
Collaborator

mmguero commented Nov 18, 2019

The OUI list used by Moloch to populate vendor names doesn't match the one I'm using as the source for Logstash with regards to some puncuation, etc. I do like the "sanitized" one found at linxunet.ca, but I'd rather have the fields match. I'm going to make the wireshark one the standard for both.
@mmguero mmguero added bug Something isn't working logstash Relating to Malcolm's use of Logstash labels Nov 18, 2019
mmguero added a commit that referenced this issue Nov 18, 2019
@mmguero
fix issue #82, OUI vendor names used by Logstash don't match those us…
0f15456 
…ed by Moloch
@mmguero mmguero closed this as completed Nov 18, 2019
mmguero added a commit that referenced this issue Nov 20, 2019
@mmguero
v1.7.1 development (#83)
beac685 
* Topic/dynamic pipelines (#81) (Handling issue #80 and issue #78)

* redesign PCAP processing pipeline so that there is [one service](/idaholab/Malcolm/tree/development/moloch/scripts/pcap_watcher.py) that watches the `/data/pcap/processed` directory and publishes to a ØMQ topic), then [other services](/idaholab/Malcolm/tree/development/moloch/scripts/pcap_moloch_and_zeek_processor.py) can subscribe to that topic and do what they want with the PCAP information they receive. This will make it much easier to add future PCAP processors, and also increases parallel-ness of the code.

* move common Logstash enrichments to a separate pipeline. I've made the [pipelines](/idaholab/Malcolm/tree/development/logstash/pipelines) used for processing Logstash events more modular, and I've also made it more extensible by having the [startup script](/idaholab/Malcolm/tree/development/logstash/scripts/logstash-start.sh) dynamically detect and configure new pipelines on the fly. this will make it easier to add new parsers in the future (need to document how to do that in the [readme](/idaholab/Malcolm/tree/development/README.md) though).

* bump version for 1.7.1 release

* set opencontainers-compatible labels on docker containers

* fix path issue with fuser for the filebeat prune cronjob

* fix issue #82, OUI vendor names used by Logstash don't match those used by Moloch

* clean up unused code

* split pcap-monitor into its own image

* breaking out moloch and zeek docker containers into their own

* make sure things run as the right users in new containers

* fix issue with duplicate files not being detected by pcap_watcher.py

* documentation fix

* fix missing geoip section ids

* clean up dockerfiles

* decrease verbosity of moloch-capture since we're not seeing it anyway

* Allow the ability to specify PCAP_PIPELINE_IGNORE_PREEXISTING in order to check and (if needed) reprocess PCAP files that didn't get finished before shutdown. Default is 'false' which meants to do the check, 'true' means ignore anything in there before the container starts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mmguero