[Bro] bro question with SIEM

Ron Jenkins rjenkins at rmjconsulting.net
Fri Oct 31 13:44:39 PDT 2014

We setup the Linux’s Syslog-NG v3x to monitor and forward the logs to Log Siphon’s Syslog daemon.

Below is a example syslog.conf setup.


Below is the sample settings for syslog-ng.conf concerning sending the Bro2 logs to Log Siphon; items in dark red ARE required.

  *   #BRO IDS
source s1_broHttp { file("/opt/bro2/spool/bro/http.log" follow_freq(1)); };
source s1_broConn { file("/opt/bro2/spool/bro/conn.log" follow_freq(1)); };
source s1_broDNS { file("/opt/bro2/spool/bro/dns.log" follow_freq(1)); };
source s1_broFILES { file("/opt/bro2/spool/bro/files.log" follow_freq(1)); };
source s1_broSMTP { file("/opt/bro2/spool/bro/smtp.log" follow_freq(1)); };
source s1_broSMTPentities { file("/opt/bro2/spool/bro/smtp_entities.log" follow_freq(1)); };
source s1_broSoftware { file("/opt/bro2/spool/bro/software.log" follow_freq(1)); };
source s1_broSNMP { file("/opt/bro2/spool/bro/snmp.log" follow_freq(1)); };
source s1_broSSL { file("/opt/bro2/spool/bro/ssl.log" follow_freq(1)); };
source s1_broDPD { file("/opt/bro2/spool/bro/dpd.log" follow_freq(1)); };
source s1_broNotice { file("/opt/bro2/spool/bro/notice.log" follow_freq(1)); };
source s1_broSSH { file("/opt/bro2/spool/bro/ssh.log" follow_freq(1)); };
source s1_broSYSLOG { file("/opt/bro2/spool/bro/syslog.log" follow_freq(1)); };
source s1_broFTP { file("/opt/bro2/spool/bro/ftp.log" follow_freq(1)); };
source s1_broTUNNEL { file("/opt/bro2/spool/bro/tunnel.log" follow_freq(1)); };
source s1_broX509 { file("/opt/bro2/spool/bro/x509.log" follow_freq(1)); };

source s1_broDHCP { file("/opt/bro2/spool/bro/dhcp.log" follow_freq(1)); };

destination logsiphon1 { udp("X.X.X.X" port(514) template("BRO2 HTTP -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon2 { udp("X.X.X.X" port(514) template("BRO2 CONN -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon3 { udp("X.X.X.X" port(514) template("BRO2 DNS -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon4 { udp("X.X.X.X" port(514) template("BRO2 SMTP -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon5 { udp("X.X.X.X" port(514) template("BRO2 SMTP_ENTITIES -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon6 { udp("X.X.X.X" port(514) template("BRO2 SOFTWARE -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon7 { udp("X.X.X.X" port(514) template("BRO2 SSL -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon8 { udp("X.X.X.X" port(514) template("BRO2 DPD -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon9 { udp("X.X.X.X" port(514) template("BRO2 NOTICE -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon10 { udp("X.X.X.X" port(514) template("BRO2 FTP -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon11 { udp("X.X.X.X" port(514) template("BRO2 SSH -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon12 { udp("X.X.X.X" port(514) template("BRO2 SYSLOG -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon13 { udp("x.x.x.x" port(514) template("BRO2 TUNNEL -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon14 { udp("x.x.x.x" port(514) template("BRO2 FILES -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon15 { udp("x.x.x.x" port(514) template("BRO2 SNMP -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };
destination logsiphon16 { udp("x.x.x.x" port(514) template("BRO2 X509 -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };

destination logsiphon17 { udp("x.x.x.x" port(514) template("BRO2 DHCP -> $FULLDATE $PROGRAM $MSGONLY \n") template_escape(no)); };

log { source(s1_broHttp); destination(logsiphon1); };
log { source(s1_broConn); destination(logsiphon2); };
log { source(s1_broDNS); destination(logsiphon3); };
log { source(s1_broSMTP); destination(logsiphon4); };
log { source(s1_broSMTPentities); destination(logsiphon5); };
log { source(s1_broSoftware); destination(logsiphon6); };
log { source(s1_broSSL); destination(logsiphon7); };
log { source(s1_broDPD); destination(logsiphon8); };
log { source(s1_broNotice); destination(logsiphon9); };
log { source(s1_broFTP); destination(logsiphon10); };
log { source(s1_broSSH); destination(logsiphon11); };
log { source(s1_broSYSLOG); destination(logsiphon12); };
log { source(s1_broTUNNEL); destination(logsiphon13); };
log { source(s1_broFILES); destination(logsiphon14); };
log { source(s1_broSNMP); destination(logsiphon15); };
log { source(s1_broX509); destination(logsiphon16); };

log { source(s1_broDHCP); destination(logsiphon17); };

Ron Jenkins (Owner / Senior Architect)
RMJ Consulting, LLC. "Bringing Companies and Solutions Together"
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Toll: 855-448-5214
Direct. 225-448-5214 Ext #101
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net>
Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/>
Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/>
Linkedin. www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkins/>
Twitter: www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting>
RMJ Consulting’s Technology Corner. https://www.rmjconsulting.net/main/paper.php

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Brant Hale
Sent: Friday, October 31, 2014 3:09 PM
To: Allen, Brian
Cc: bro at bro.org
Subject: Re: [Bro] bro question with SIEM


I also have Qradar and am looking to supplement it with BRO - mainly the Security Onion platform.    The systems have some overlap,  I suspect that they are just going to want raw network data as they have their own tools to pull info out.   I am planning on sending my syslog data to Qradar and pulling the BRO data from a network tap.   So both systems will run in parallel not one reporting to the other.

Do let us know what you end up with.


On Fri, Oct 31, 2014 at 3:45 PM, Allen, Brian <brianallen at wustl.edu<mailto:brianallen at wustl.edu>> wrote:
Hi -

Our Medschool uses the IBM Qradar SIEM tool, and we have a project to expand it to cover the rest of the University.  Since we have a SEIM now, I figured I might as well put the best logs I have in it -  which include BRO logs: http, dns, conn, etc.

IBM is asking me the following question:  Is BRO able to forward raw flow data that has not been normalized or altered?

I'm pretty sure the answer is no because I have worked with raw flow data with flow-tools a lot, but I wanted to post it here to make sure, plus see if anyone is using BRO with a SIEM and what those setups might look like.


Brian Allen, CISSP
Information Security Manager
Washington University
brianallen at wustl.edu<mailto:brianallen at wustl.edu>

Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141031/3ece15b2/attachment.html 

More information about the Bro mailing list