[Bro] Integrating bro-ids on sguil or snorby

Seth Hall seth at icir.org
Thu Sep 29 04:11:58 PDT 2011

On Sep 29, 2011, at 4:44 AM, carlopmart wrote:

> rsyslog -> ossec_agent -> ossec_server -> splunk
> What is your opinion??

I want to support splunk as a direct output for Bro eventually, we already have some users that are very successfully using that model.  With my "ext" scripts available from http://www.github.com/sethhall/bro_scripts people have been using the Splunk forwarder to the send those logs directly to splunk which automatically does field extraction and it correctly recognizes the epoch time timestamps at the beginning of the lines as what they are.

We are planning on doing closer integration with OSSEC once we figure out what that means, but what does that 4 step pipeline gain you over just using the splunk forwarder directly?

BTW, I don't really recommend people begin using my "ext" scripts at this point.  We're going to be doing a new release very soon and all of the scripts have incorporated "lessons learned" from my experience in writing the ext scripts.  It makes more sense to follow our in-development quickstart guide[1] and Martin's recent blog post[2].

1. http://www.bro-ids.org/documentation/quickstart.html#compiling-bro-source-code
2. http://ossectools.blogspot.com/2011/09/bro-quickstart-cluster-edition.html


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list