[Bro] Revisiting CEF formatted BRO Logs

Neslog neslog at gmail.com
Sat Jul 30 08:29:09 PDT 2016 

Back in the days of the old bro 1.9 log formats I generated CEF logging.
Not the logging framework but it worked perfectly.  Was just a bro script
output to a file.

It's another option.

On Jul 30, 2016 11:25, "Ward Sladek" <wsladekjr at hotmail.com> wrote:

> If I were in your shoes and assuming it's possible to add the sensor
> ID/name to the bro logs, I would just add that one field (keeping the same
> format, etc) and not rewrite everything for CEF.
>
> Then I would press HP support to give me the encrypted bro parser (they
> have given me several parsers in the past) and write a parser override to
> account for the new sensor/worker field.
>
> Sorry this doesn't answer your question directly, but maybe this route is
> an option for you.
>
>
>
> ------------------------------
> *From:* bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Ludwig
> Goon <lagoon7 at gmail.com>
> *Sent:* Thursday, July 28, 2016 9:53 AM
> *To:* bro at bro.org
> *Subject:* [Bro] Revisiting CEF formatted BRO Logs
>
> Can someone from the community provide more information or examples of
> using log writer to create CEF formatted logs for consumption with Arcsight
> SIEMs?
>
> it seems that we can not customize arcsight connectors for BRO logs
> however since arcsight can accept CEF events directly I would like to
> experiment with directly sending CEF formatted BRO events from the standard
> log set.
>
> Additionally I have 5 BRO sensors and would like to tag each event with
> the BRO sensor's hostname before sending it to arc sight. The default logs
> do not allow that modification and documentation is not the greatest. If
> you want to do this in Arcsight via the connector, which is a version or
> two behind, the connector will not allow the adding of the hostname.
>
> So I have attempted to write PERL and PYTHON converters but the
> performance of tailing logs and sending all events is challenging.
>
> Also using brocut requires scripting and again not sure if I am sending
> ALL log events.
>
>
> In previous questions to the forum the answer was using the logging
> framework however I have not seen anymore content on this subject. Thus
> here is my formal request:
>
> Can someone show how to use the logging framework to convert or have bro
> output the http.log into CEF format? Also can I add custom fields such as
> sensor-name and the end of the event or at the beginning near CEF:0.
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160730/0b9556ec/attachment-0001.html

More information about the Bro mailing list