[Bro] problem ingesting bro json logs into splunk
Brandon Lattin
lattin at umn.edu
Thu Jul 14 07:14:25 PDT 2016
Do you have the Splunk installed? (https://splunkbase.splunk.com/app/1617/)
The TA will dynamically create sourcetypes based on the log name.
# Dynamic source typing based on log filename
# Match: conn.log, bro.conn.log,
# md5.bro.conn.log, whatever.conn.log
[BroAutoType]
DEST_KEY = MetaData:Sourcetype
SOURCE_KEY = MetaData:Source
REGEX = ([a-zA-Z0-9-]+)(?:\.[0-9-]*)?(?:\.[0-9\:-]*)?\.log
FORMAT = sourcetype::bro_$1
WRITE_META = true
On Thu, Jul 14, 2016 at 8:33 AM, philosnef <philosnef at yahoo.com> wrote:
> We are getting a spurious sourcetype when ingesting bro json logs into
> splunk.
>
> Specifically, we are getting a sourcetype of bro_00. There is no log file
> named this, and the splunkforwarder is just pushing the raw logs for
> indexing into splunk. There is no massaging of the log data. Anyone know
> why this sourcetype is popping up?
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/b73d7058/attachment-0001.html
More information about the Bro
mailing list