[Bro] problem ingesting bro json logs into splunk

Steve Brant steve at brant.nu
Thu Jul 14 16:07:41 PDT 2016 

I've attached a modified version of the Splunk TA for bro, that
accommodates bro logs in json format. Let me know if you have any problem
with it.

Thanks,
Steve

~/SB

On Thu, Jul 14, 2016 at 8:14 AM, Brandon Lattin <lattin at umn.edu> wrote:

> Do you have the Splunk installed? (https://splunkbase.splunk.com/app/1617/
> )
>
> The TA will dynamically create sourcetypes based on the log name.
>
> # Dynamic source typing based on log filename
> # Match: conn.log, bro.conn.log,
> # md5.bro.conn.log, whatever.conn.log
> [BroAutoType]
> DEST_KEY = MetaData:Sourcetype
> SOURCE_KEY = MetaData:Source
> REGEX = ([a-zA-Z0-9-]+)(?:\.[0-9-]*)?(?:\.[0-9\:-]*)?\.log
> FORMAT = sourcetype::bro_$1
> WRITE_META = true
>
>
> On Thu, Jul 14, 2016 at 8:33 AM, philosnef <philosnef at yahoo.com> wrote:
>
>> We are getting a spurious sourcetype when ingesting bro json logs into
>> splunk.
>>
>> Specifically, we are getting a sourcetype of bro_00. There is no log file
>> named this, and the splunkforwarder is just pushing the raw logs for
>> indexing into splunk. There is no massaging of the log data. Anyone know
>> why this sourcetype is popping up?
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> --
> Brandon Lattin
> Security Analyst
> University of Minnesota - University Information Security
> Office: 612-626-6672
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/ea658fc8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TA-bro_json.tar.gz
Type: application/x-gzip
Size: 4241 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/ea658fc8/attachment.gz

More information about the Bro mailing list