[Bro] Bro Log ingestion
Will Havlovick
will.havlovick at zenimax.com
Wed Sep 17 06:13:13 PDT 2014
I agree with using Splunk. It has really helped us with our massive amount of Bro logs. We are also dumping other logs(AD, FW, etc.) into Splunk and correlating them with the Bro logs.
With Splunk though, it does tend to get pricey as you put more and more data into. But I believe you can use up to 500mb a day without cost.
Will
On 17.09.2014, at 08:49, "John Landers" <jlanders at paymetric.com<mailto:jlanders at paymetric.com>> wrote:
I’m not sure it’s an option for you, but I’m using Splunk to ingest logs from multiple Bro sensors. It’s a great way to compliment the other data I have in Splunk and after creating some field extractions, it becomes really easy to search the data or create statistics of the data.
John Landers
From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org] On Behalf Of Jonathon Wright
Sent: Tuesday, September 16, 2014 8:54 PM
To: bro at bro.org<mailto:bro at bro.org>
Subject: [Bro] Bro Log ingestion
Hello,
Requirement:
I'm trying to find the most efficient way to ingest all of Bro's logs, where Bro is running on multiple servers, and get a single server/point of query/mining/reporting, etc. Servers are running Red Hat 6.5 and Bro 2.3 built from source with file extraction enabled (HTTP protocol for exe files). All Bro logs and extracted files seem to be by default owned by root:root, but I'd like to have them available to a non-root group once on the single server/point/interface to the analyst.
(My apologies if this has been covered, but I do not know where to search other than just ask or google it. )
Current setup
Red Hat is running fine, Bro 2.3 with file extraction is working fine. So no worries, I just need the best methodology to implement for ingesting all the Bro logs (and extracted files) to a single point for analysis/mining/querying/reporting etc.
Research
Looking around and doing some reading, I've found two possible solutions ELSA and LOGSTASH although I don't know them very well and / or what their capabilities are either. But I'd like to know if they are viable, especially given my scenario, or if there is something better. Also, a how-to so I can set it up.
I look forward to your reply, thanks!
JW
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140917/a809ea0b/attachment.html
More information about the Bro
mailing list