[Bro] Bro Log ingestion

John Landers jlanders at paymetric.com
Wed Sep 17 05:26:49 PDT 2014 

I’m not sure it’s an option for you, but I’m using Splunk to ingest logs from multiple Bro sensors. It’s a great way to compliment the other data I have in Splunk and after creating some field extractions, it becomes really easy to search the data or create statistics of the data.

 

 

 

John Landers

 

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Jonathon Wright
Sent: Tuesday, September 16, 2014 8:54 PM
To: bro at bro.org
Subject: [Bro] Bro Log ingestion

 

Hello, 

 

Requirement:

I'm trying to find the most efficient way to ingest all of Bro's logs, where Bro is running on multiple servers, and get a single server/point of query/mining/reporting, etc.  Servers are running Red Hat 6.5 and Bro 2.3 built from source with file extraction enabled (HTTP protocol for exe files). All Bro logs and extracted files seem to be by default owned by root:root, but I'd like to have them available to a non-root group once on the single server/point/interface to the analyst. 

 

 

(My apologies if this has been covered, but I do not know where to search other than just ask or google it. )

 

Current setup

Red Hat is running fine, Bro 2.3 with file extraction is working fine. So no worries, I just need the best methodology to implement for ingesting all the Bro logs (and extracted files) to a single point for analysis/mining/querying/reporting etc. 

 

Research

Looking around and doing some reading, I've found two possible solutions ELSA and LOGSTASH although I don't know them very well and / or what their capabilities are either. But I'd like to know if they are viable, especially given my scenario, or if there is something better. Also, a how-to so I can set it up. 

 

I look forward to your reply, thanks!

 

JW

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140917/ab90d50a/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6593 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140917/ab90d50a/attachment.bin

More information about the Bro mailing list