After the initial build, the ES cluster will be yellow because the marvel index will think it's missing a replica. Run this to fix this issue. This job will run from cron just after midnight every day:
/usr/local/bin/es_cleanup.sh 2>&1 > /dev/null
Check to see that the ES cluster says it's green:
curl -s localhost:9200/_cluster/health | jq '.'
See how many documents are in the indexes. The count should be non-zero:
curl -s localhost:9200/_all/_count | jq '.'
You can fire some traffic across the sensor at this point to see if it's collecting. NOTE: This requires that you upload your own test PCAP to the box.
sudo tcpreplay -i [your monitor interface] /path/to/a/test.pcap
After replaying some traffic, or just waiting a bit, the count should be going up.
curl -s localhost:9200/_all/_count | jq '.'
You should have plain text bro logs showing up in /data/bro/logs/current/:
ls -ltr /data/bro/logs/current/
@todo Modify the rock_* tasks to be rockctl {start|stop|status}
They're still there, for now, but rockctl is the "One True Path":tm:.
These functions are accomplished with rock_stop, rock_start, and rock_status.
NOTE: these may need to be prefaced with /usr/local/bin/ depending on your $PATH.
sudo rock_start
sudo rock_status
sudo rock_stop
https://localhost - Kibana web interface - After deploy, the created creds are in the home directory of the user created upon install as KIBANA_CREDS.README
https://localhost:8443 - Docket - (If enabled) The web interface for pulling PCAP from the sensor
localhost = IP of the management interface of the box
UTC is generally preferred for logging data as the timestamps from anywhere in the world will have a proper order without calculating offsets. That said, Kibana will present the bro logs according to your timezone (as set in the browser). The bro logs themselves (i.e. in /data/bro/logs/) log in epoch time and will be written in UTC regardless of the system timezone.
Bro includes a utility for parsing these on the command line called bro-cut. It can be used to print human-readable timestamps in either the local sensor timezone or UTC. You can also give it a custom format string to specify what you'd like displayed.