[Bro] Revisiting CEF formatted BRO Logs
Jason Carr
jason.carr at gmail.com
Thu Jul 28 08:36:49 PDT 2016
It might be a little work but utilizing the JSON output (
https://www.bro.org/sphinx/scripts/policy/tuning/json-logs.bro.html) and
sending it to logstash and in turn using mutate/filter in the logstash
config may get you to where you want to be at.
On Thu, Jul 28, 2016 at 10:56 AM Ludwig Goon <lagoon7 at gmail.com> wrote:
> Can someone from the community provide more information or examples of
> using log writer to create CEF formatted logs for consumption with Arcsight
> SIEMs?
>
> it seems that we can not customize arcsight connectors for BRO logs
> however since arcsight can accept CEF events directly I would like to
> experiment with directly sending CEF formatted BRO events from the standard
> log set.
>
> Additionally I have 5 BRO sensors and would like to tag each event with
> the BRO sensor's hostname before sending it to arc sight. The default logs
> do not allow that modification and documentation is not the greatest. If
> you want to do this in Arcsight via the connector, which is a version or
> two behind, the connector will not allow the adding of the hostname.
>
> So I have attempted to write PERL and PYTHON converters but the
> performance of tailing logs and sending all events is challenging.
>
> Also using brocut requires scripting and again not sure if I am sending
> ALL log events.
>
>
> In previous questions to the forum the answer was using the logging
> framework however I have not seen anymore content on this subject. Thus
> here is my formal request:
>
> Can someone show how to use the logging framework to convert or have bro
> output the http.log into CEF format? Also can I add custom fields such as
> sensor-name and the end of the event or at the beginning near CEF:0.
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160728/452710d0/attachment.html
More information about the Bro
mailing list