[Bro] A question on barnyard2 integration
James Lay
jlay at slave-tothe-box.net
Thu Jul 31 07:56:46 PDT 2014
On 2014-07-29 19:24, Seth Hall wrote:
> On Jul 29, 2014, at 9:13 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Ah crud...had the Barnyard2::LOG line added on the production box,
>> but the @load policy on the dev box 8-| Just one of those days I
>> guess...thanks again Seth.
>
> No problem. I wouldn't even complain if you documented your
> experiences with this stuff somewhere. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Thanks Seth.
So far I haven't been able to get this to work. Everything seems to be
functioning, but I don't get any snort data into elasticsearch (I do get
conn.log data though). Info below:
installed brocolli
recompile barnyard2 with ./configure --enable-ipv6 --enable-gre
--enable-bro --with-mysql --with-tcl=/usr/local/lib and I do see
"checking for broccoli... yes"
local.bro:
@load frameworks/communication/listen
@load policy/integration/barnyard2
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::send_logs += {
Conn::LOG,
Barnyard2::LOG
};
redef LogElasticSearch::server_host = "x.x.x.x";
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 0.0.0.0:47757 0.0.0.0:*
LISTEN 25340/bro
barnyard:
output alert_bro: 127.0.0.1:47757
from runtime with -v:
alert_bro Connecting to Bro (127.0.0.1:47757)...done.
But all I see is conn.log info...no barnyard2 data. Not sure what else
to do at this point...thanks Seth.
James
More information about the Bro
mailing list