[Bro] Another assist with Bro and Splunk
James Lay
jlay at slave-tothe-box.net
Tue Jun 19 12:54:32 PDT 2018
Appreciate that thanks Stephen....just making my own field extractions
as we speak(type?)...easier than logstash ;)
James
On 2018-06-19 10:39, Hosom, Stephen M wrote:
> Careful with the JSON logs. They use significantly more index.
>
> That add-on does work with some minor modifications.
>
> You’ll need to add a local transforms.conf to define a new REGEX and
> you’ll probably want to turn off the pcap monitor.
>
>
> [BroAutoType]
>
> REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log
>
>
> From: <bro-bounces at bro.org> on behalf of Patrick Kelley
> <patrick.kelley at criticalpathsecurity.com>
> Date: Tuesday, June 19, 2018 at 12:20 PM
> To: "jlay at slave-tothe-box.net" <jlay at slave-tothe-box.net>
> Cc: Bro-IDS <bro at bro.org>
> Subject: Re: [Bro] Another assist with Bro and Splunk
>
> Message received from outside the Battelle network. Carefully examine
> it before you open any links or attachments.
> Typically, I just ingest the json logs without issue.
>
> Are you experiencing a particular issue?
> Patrick Kelley, CISSP, C|EH, ITIL
> CTO
> patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>
>
>
> On Jun 19, 2018, at 8:56 AM, James Lay
> <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:
> So...before I recreate the wheel I thought I'd fire this here.
> Situation:
>
> bro 2.5.4 on a box
> shipping off conn and ssl logs via rsyslog to another box
>
> So I've looked at:
>
> https://splunkbase.splunk.com/app/1617/#/overview
>
> but this appears pretty old. So...before I go through the grueling
> process of manually getting field extractions, I'm betting someone else
> has already done the splunk-ish work. Thanks for any assistance.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list