[Bro] problem ingesting bro json logs into splunk
lattin at umn.edu
Thu Jul 14 09:33:55 PDT 2016
It should work just fine, assuming TSV headers are present, as it keys off
the headers for the extractions.
On Thu, Jul 14, 2016 at 11:14 AM, Drew Dixon <dwdixon at umich.edu> wrote:
> Sorry hope I'm not hijacking- quick question very closely related to
> this...is the Splunk app for Bro that Brandon linked to here supposed to
> parse out all the various bro 2.4.1 log types' fields correctly?
> In other words, is the latest version of the Splunk app fro Bro/TA
> supposed to work properly for parsing out Bro log fields with they way the
> log fields/columns etc. are now in Bro 2.4.1? I think the Splunk Add-on for
> Bro IDS was written for Bro 2.1 or 2.2...do changes that were made in
> subsequent versions of Bro such as 2.4.1 break the fields being parsed out
> in Splunk when using this Splunk Add-on for Bro/Bro TA in Splunkbase? Or
> does Splunk need to update the add-on to work properly with Bro 2.4.1?
> Thank you,
> On Thu, Jul 14, 2016 at 11:59 AM, Azoff, Justin S <jazoff at illinois.edu>
>> > On Jul 14, 2016, at 11:33 AM, Gross, Brett <gross.b at ghc.org> wrote:
>> > We’ve used bro and splunk at our organization for a couple years now.
>> We utilize the Splunk props and transforms configs to ingest the bro log in
>> the format we want or with the additional attributes and aliases.
>> Ah, that's for the tab delimited logs, not the json logs though. I
>> actually did it that way for years, I even have a python program that helps
>> you generate the config:
>> But, I wouldn't use this method - the splunk TA app for bro is better.
>> As far as I know the transforms/props method only does the field lookups
>> at search time, not at index time like the TA app configures.
>> Whenever the bro logs change and a column is added or removed, all those
>> search time field lookups break.
>> - Justin Azoff
>> Bro mailing list
>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
University of Minnesota - University Information Security
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro