[Bro] any ArcSight users?
Michael Cox
mscox42 at gmail.com
Wed May 15 12:37:03 PDT 2013
I made a quick flex connector (file reader) for just the http.log as a
test. It all works fine, and it handles file rotation without the problems
I am seeing with the canned connector.
There's a handy function built into the flex
connector, _createLocalTimeStampFromSecondsSinceEpoch(), to convert the
time to a format that ESM can deal with. Everything else was very simple
and straightforward.
Hopefully the thread will help someone else.
Regards,
Michael
On Wed, May 15, 2013 at 2:08 PM, Brad Doctor <brad.doctor at gmail.com> wrote:
> in the .bro files, some changes have been made to the format to better
> suite our needs. as such that completely breaks the arcsight connector.
>
>
> On Wed, May 15, 2013 at 1:02 PM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On May 15, 2013, at 2:50 PM, Brad Doctor <brad.doctor at gmail.com> wrote:
>>
>> > we did, but as we customize our format, it didn't work. and we have a
>> lot of sensors reporting in via syslog forwarding, so the flexconnector was
>> the most reliable way to do this. syslog subagent, basically.
>>
>> What do you mean you customize your format?
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130515/59396635/attachment.html
More information about the Bro
mailing list