[Bro] Another assist with Bro and Splunk
Hosom, Stephen M
hosom at battelle.org
Tue Jun 19 09:39:48 PDT 2018
Careful with the JSON logs. They use significantly more index.
That add-on does work with some minor modifications.
You’ll need to add a local transforms.conf to define a new REGEX and you’ll probably want to turn off the pcap monitor.
[BroAutoType]
REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log
From: <bro-bounces at bro.org> on behalf of Patrick Kelley <patrick.kelley at criticalpathsecurity.com>
Date: Tuesday, June 19, 2018 at 12:20 PM
To: "jlay at slave-tothe-box.net" <jlay at slave-tothe-box.net>
Cc: Bro-IDS <bro at bro.org>
Subject: Re: [Bro] Another assist with Bro and Splunk
Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.
Typically, I just ingest the json logs without issue.
Are you experiencing a particular issue?
Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>
On Jun 19, 2018, at 8:56 AM, James Lay <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:
So...before I recreate the wheel I thought I'd fire this here.
Situation:
bro 2.5.4 on a box
shipping off conn and ssl logs via rsyslog to another box
So I've looked at:
https://splunkbase.splunk.com/app/1617/#/overview
but this appears pretty old. So...before I go through the grueling
process of manually getting field extractions, I'm betting someone else
has already done the splunk-ish work. Thanks for any assistance.
James
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list