[Bro] Bro +Splunk

Patrick Kelley pkelley at hyperionavenue.com
Thu Nov 5 07:18:36 PST 2015

Yes!  Use the Splunk Universal Forwarder and monitor the
"/usr/local/bro/logs/current" folder.  Make sure you configure Splunk to
receive the data.   This can be done under settings.


Install the forwarder -


Add the location of your Splunk server -
./splunk add forward-server

Add the monitor command -
./splunk add monitor //usr/local/bro/logs/current

That's it.

On Thu, Nov 5, 2015 at 4:52 AM, Monah Baki <monahbaki at gmail.com> wrote:

> Hi all,
> Any good documentation for newbies as to how to send bro logs to a
> remote splunk server?
> What's the requirements on both sides and what files needs to be
> touched on the bro to send the logs to the remote splunk server.
> I know I installed from the splunk app the "Splunk add on for bro ids"
> Thanks
> Monah
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Patrick Kelley, CEH
Hyperion Avenue Labs

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*

[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151105/fce3d0e4/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151105/fce3d0e4/attachment-0002.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2015-11-05 at 7.18.03 AM.png
Type: image/png
Size: 29553 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151105/fce3d0e4/attachment-0003.bin 

More information about the Bro mailing list