Skip to content
Permalink
Browse files

specify JSON for KAPE

  • Loading branch information...
philhagen committed Jun 7, 2019
1 parent 532816c commit 48b67cf8c6b52254198c933de048e46ff07857be
Showing with 1 addition and 1 deletion.
  1. +1 −1 VM_README.md
@@ -30,7 +30,7 @@ All parsers and dashboards for this VM are now maintained in this Github reposit
* `/logstash/nfarch/`: Archived NetFlow output, formatted as described below
* `/logstash/httpd/`: Apache logs in common, combined, or vhost-combined formats
* `/logstash/passivedns/`: Logs from the passivedns utility
* `/logstash/kape/`: Files generated by the [KAPE](https://learn.duffandphelps.com/kape) triage collection tool ([See this document](doc/kape_support.md) for details on which specific output files are currently supported)
* `/logstash/kape/`: JSON-format files generated by the [KAPE](https://learn.duffandphelps.com/kape) triage collection tool ([See this document](doc/kape_support.md) for details on which specific output files are currently supported)
* NOTICE: Remember that syslog DOES NOT reflect the year of a log entry! Therefore, Logstash has been configured to look for a year value in the path to a file. For example: `/logstash/syslog/2015/var/log/messages` will assign all entries from that file to the year 2015. If no year is present, the current year will be assumed. This is enabled only for the `/logstash/syslog/` directory.
* Commands to be familiar with:
* `/usr/local/sbin/sof-elk_clear.py`: DESTROY contents of the Elasticsearch database. Most frequently used with an index name base (e.g. `sof-elk_clear.py -i logstash` will delete all data from the Elasticsearch `logstash-*` indexes. Other options detailed with the `-h` flag.

0 comments on commit 48b67cf

Please sign in to comment.
You can’t perform that action at this time.