[Bro] Analyzing and Visualizing Bro Logs with Splunk

Brad Shoop brad.shoop at gmail.com
Fri May 4 08:23:09 PDT 2012


Justin Azoff <JAzoff <at> albany.edu> writes:

> 
> On Thu, Apr 19, 2012 at 11:13:20AM -0400, Chris Crawford wrote:
> > Does anybody have the slides or video from "Analyzing and Visualizing
> > Bro Logs with Splunk" talk at Bro Workshop 2011?
> > 
> > -Chris
> 
> Hmm, I thought they were put on the website.. I was difficult and used
> the google HTML5 slideshow template 
> 
> The presentation is attached. Let me know if you have any questions.
> 
> The old metrics scripts I mention were indeed obsoleted by 2.0, but I've
> updated most of them:
> 
> https://github.com/JustinAzoff/bro_scripts/tree/2.0/
> 


If you want to get going quickly, download the Security Onion app
for Splunk and either install it (if it's not a Security Onion system,
you'll want to disable the SOstat scripts) or rename it to a .tar.gz
and extract. If you're already pulling Bro data in, you should be
able to match up the sourcetype names to the props/transforms.conf
then copy the props.conf and transforms.conf files to your Splunk
instance.

That will get you all the field extractions and data into Splunk, and
the Security Onion app will provide some initial dashboards and
panels to give you more ideas.

Brad Shoop




More information about the Bro mailing list