[Bro] problem ingesting bro json logs into splunk

Brandon Lattin lattin at umn.edu
Thu Jul 14 09:33:55 PDT 2016 

Drew,

It should work just fine, assuming TSV headers are present, as it keys off
the headers for the extractions.

On Thu, Jul 14, 2016 at 11:14 AM, Drew Dixon <dwdixon at umich.edu> wrote:

> Sorry hope I'm not hijacking- quick question very closely related to
> this...is the Splunk app for Bro that Brandon linked to here supposed to
> parse out all the various bro 2.4.1 log types' fields correctly?
> In other words, is the latest version of the Splunk app fro Bro/TA
> supposed to work properly for parsing out Bro log fields with they way the
> log fields/columns etc. are now in Bro 2.4.1? I think the Splunk Add-on for
> Bro IDS was written for Bro 2.1 or 2.2...do changes that were made in
> subsequent versions of Bro such as 2.4.1 break the fields being parsed out
> in Splunk when using this Splunk Add-on for Bro/Bro TA in Splunkbase?  Or
> does Splunk need to update the add-on to work properly with Bro 2.4.1?
>
> Thank you,
>
> -Drew
>
> On Thu, Jul 14, 2016 at 11:59 AM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Jul 14, 2016, at 11:33 AM, Gross, Brett <gross.b at ghc.org> wrote:
>> >
>> > We’ve used bro and splunk at our organization for a couple years now.
>> We utilize the Splunk props and transforms configs to ingest the bro log in
>> the format we want or with the additional attributes and aliases.
>>
>> Ah, that's for the tab delimited logs, not the json logs though.  I
>> actually did it that way for years, I even have a python program that helps
>> you generate the config:
>>
>>
>> https://github.com/JustinAzoff/bro_scripts/blob/2.0/generate_splunk_configs.py
>>
>> But, I wouldn't use this method - the splunk TA app for bro is better.
>>
>> As far as I know the transforms/props method only does the field lookups
>> at search time, not at index time like the TA app configures.
>>
>> Whenever the bro logs change and a column is added or removed, all those
>> search time field lookups break.
>>
>>
>> --
>> - Justin Azoff
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Brandon Lattin
Security Analyst
University of Minnesota - University Information Security
Office: 612-626-6672
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/3068c362/attachment.html

More information about the Bro mailing list