[Bro] any ArcSight users?
Brad Doctor
brad.doctor at gmail.com
Wed May 15 11:50:26 PDT 2013
we did, but as we customize our format, it didn't work. and we have a lot
of sensors reporting in via syslog forwarding, so the flexconnector was the
most reliable way to do this. syslog subagent, basically.
-brad
On Wed, May 15, 2013 at 12:47 PM, Michael Cox <mscox42 at gmail.com> wrote:
> Did you try their canned "Bro IDS NG" connector? "NG" is their way of
> saying v2.1.
>
> It parses OK, but I'm having issues with log rotation. Could you share
> your agent.properties file for the rotation options?
>
> Thanks again,
> Michael
>
>
> On Wed, May 15, 2013 at 1:28 PM, Brad Doctor <brad.doctor at gmail.com>wrote:
>
>> yup - a flex connector is your answer.
>> -brad
>>
>>
>> On Wed, May 15, 2013 at 11:36 AM, Seth Hall <seth at icir.org> wrote:
>>
>>>
>>> On May 15, 2013, at 1:22 PM, Michael Cox <mscox42 at gmail.com> wrote:
>>>
>>> > Anyone feeding Bro logs to ArcSight? If so, could you ping me back,
>>> please? We can take it off-list.
>>>
>>> Sounds worthwhile, please keep it on list!
>>>
>>> .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/df4fe784/attachment.html
More information about the Bro
mailing list