[Bro] problem ingesting bro json logs into splunk

Drew Dixon dwdixon at umich.edu
Thu Jul 14 09:14:44 PDT 2016 

Sorry hope I'm not hijacking- quick question very closely related to
this...is the Splunk app for Bro that Brandon linked to here supposed to
parse out all the various bro 2.4.1 log types' fields correctly?
In other words, is the latest version of the Splunk app fro Bro/TA supposed
to work properly for parsing out Bro log fields with they way the log
fields/columns etc. are now in Bro 2.4.1? I think the Splunk Add-on for Bro
IDS was written for Bro 2.1 or 2.2...do changes that were made in
subsequent versions of Bro such as 2.4.1 break the fields being parsed out
in Splunk when using this Splunk Add-on for Bro/Bro TA in Splunkbase?  Or
does Splunk need to update the add-on to work properly with Bro 2.4.1?

Thank you,

-Drew

On Thu, Jul 14, 2016 at 11:59 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Jul 14, 2016, at 11:33 AM, Gross, Brett <gross.b at ghc.org> wrote:
> >
> > We’ve used bro and splunk at our organization for a couple years now. We
> utilize the Splunk props and transforms configs to ingest the bro log in
> the format we want or with the additional attributes and aliases.
>
> Ah, that's for the tab delimited logs, not the json logs though.  I
> actually did it that way for years, I even have a python program that helps
> you generate the config:
>
>
> https://github.com/JustinAzoff/bro_scripts/blob/2.0/generate_splunk_configs.py
>
> But, I wouldn't use this method - the splunk TA app for bro is better.
>
> As far as I know the transforms/props method only does the field lookups
> at search time, not at index time like the TA app configures.
>
> Whenever the bro logs change and a column is added or removed, all those
> search time field lookups break.
>
>
> --
> - Justin Azoff
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/9e2cc4ae/attachment.html

More information about the Bro mailing list