[Bro] any ArcSight users?
mscox42 at gmail.com
Wed May 15 12:37:03 PDT 2013
I made a quick flex connector (file reader) for just the http.log as a
test. It all works fine, and it handles file rotation without the problems
I am seeing with the canned connector.
There's a handy function built into the flex
connector, _createLocalTimeStampFromSecondsSinceEpoch(), to convert the
time to a format that ESM can deal with. Everything else was very simple
Hopefully the thread will help someone else.
On Wed, May 15, 2013 at 2:08 PM, Brad Doctor <brad.doctor at gmail.com> wrote:
> in the .bro files, some changes have been made to the format to better
> suite our needs. as such that completely breaks the arcsight connector.
> On Wed, May 15, 2013 at 1:02 PM, Seth Hall <seth at icir.org> wrote:
>> On May 15, 2013, at 2:50 PM, Brad Doctor <brad.doctor at gmail.com> wrote:
>> > we did, but as we customize our format, it didn't work. and we have a
>> lot of sensors reporting in via syslog forwarding, so the flexconnector was
>> the most reliable way to do this. syslog subagent, basically.
>> What do you mean you customize your format?
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro