[Bro] Another assist with Bro and Splunk

Tue Jun 19 12:54:32 PDT 2018

Appreciate that thanks Stephen....just making my own field extractions 
as we speak(type?)...easier than logstash ;)

James

On 2018-06-19 10:39, Hosom, Stephen M wrote:
> Careful with the JSON logs. They use significantly more index.
> 
> That add-on does work with some minor modifications.
> 
> You’ll need to add a local transforms.conf to define a new REGEX and
> you’ll probably want to turn off the pcap monitor.
> 
> 
> [BroAutoType]
> 
> REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log
> 
> 
> From: <bro-bounces at bro.org> on behalf of Patrick Kelley
> <patrick.kelley at criticalpathsecurity.com>
> Date: Tuesday, June 19, 2018 at 12:20 PM
> To: "jlay at slave-tothe-box.net" <jlay at slave-tothe-box.net>
> Cc: Bro-IDS <bro at bro.org>
> Subject: Re: [Bro] Another assist with Bro and Splunk
> 
> Message received from outside the Battelle network. Carefully examine
> it before you open any links or attachments.
> Typically, I just ingest the json logs without issue.
> 
> Are you experiencing a particular issue?
> Patrick Kelley, CISSP, C|EH, ITIL
> CTO
> patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>
> 
> 
> On Jun 19, 2018, at 8:56 AM, James Lay
> <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:
> So...before I recreate the wheel I thought I'd fire this here.
> Situation:
> 
> bro 2.5.4 on a box
> shipping off conn and ssl logs via rsyslog to another box
> 
> So I've looked at:
> 
> https://splunkbase.splunk.com/app/1617/#/overview
> 
> but this appears pretty old.  So...before I go through the grueling
> process of manually getting field extractions, I'm betting someone else
> has already done the splunk-ish work.  Thanks for any assistance.
> 
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org<mailto:bro at bro-ids.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro