[Bro] Revisiting CEF formatted BRO Logs
jason.carr at gmail.com
Thu Jul 28 08:36:49 PDT 2016
It might be a little work but utilizing the JSON output (
sending it to logstash and in turn using mutate/filter in the logstash
config may get you to where you want to be at.
On Thu, Jul 28, 2016 at 10:56 AM Ludwig Goon <lagoon7 at gmail.com> wrote:
> Can someone from the community provide more information or examples of
> using log writer to create CEF formatted logs for consumption with Arcsight
> it seems that we can not customize arcsight connectors for BRO logs
> however since arcsight can accept CEF events directly I would like to
> experiment with directly sending CEF formatted BRO events from the standard
> log set.
> Additionally I have 5 BRO sensors and would like to tag each event with
> the BRO sensor's hostname before sending it to arc sight. The default logs
> do not allow that modification and documentation is not the greatest. If
> you want to do this in Arcsight via the connector, which is a version or
> two behind, the connector will not allow the adding of the hostname.
> So I have attempted to write PERL and PYTHON converters but the
> performance of tailing logs and sending all events is challenging.
> Also using brocut requires scripting and again not sure if I am sending
> ALL log events.
> In previous questions to the forum the answer was using the logging
> framework however I have not seen anymore content on this subject. Thus
> here is my formal request:
> Can someone show how to use the logging framework to convert or have bro
> output the http.log into CEF format? Also can I add custom fields such as
> sensor-name and the end of the event or at the beginning near CEF:0.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro