[Bro] Another assist with Bro and Splunk

Patrick Kelley patrick.kelley at criticalpathsecurity.com
Tue Jun 19 13:00:24 PDT 2018 

Glad to hear/see that you have it sorted.

Yes. It’s an increase. Yes. Cutting them up in Splunk is much easier than Logstash.

Patrick Kelley, CISSP, C|EH, ITIL
CTO
patrick.kelley at criticalpathsecurity.com


> On Jun 19, 2018, at 12:54 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 
> Appreciate that thanks Stephen....just making my own field extractions as we speak(type?)...easier than logstash ;)
> 
> James
> 
>> On 2018-06-19 10:39, Hosom, Stephen M wrote:
>> Careful with the JSON logs. They use significantly more index.
>> That add-on does work with some minor modifications.
>> You’ll need to add a local transforms.conf to define a new REGEX and
>> you’ll probably want to turn off the pcap monitor.
>> [BroAutoType]
>> REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log
>> From: <bro-bounces at bro.org> on behalf of Patrick Kelley
>> <patrick.kelley at criticalpathsecurity.com>
>> Date: Tuesday, June 19, 2018 at 12:20 PM
>> To: "jlay at slave-tothe-box.net" <jlay at slave-tothe-box.net>
>> Cc: Bro-IDS <bro at bro.org>
>> Subject: Re: [Bro] Another assist with Bro and Splunk
>> Message received from outside the Battelle network. Carefully examine
>> it before you open any links or attachments.
>> Typically, I just ingest the json logs without issue.
>> Are you experiencing a particular issue?
>> Patrick Kelley, CISSP, C|EH, ITIL
>> CTO
>> patrick.kelley at criticalpathsecurity.com<mailto:patrick.kelley at criticalpathsecurity.com>
>> On Jun 19, 2018, at 8:56 AM, James Lay
>> <jlay at slave-tothe-box.net<mailto:jlay at slave-tothe-box.net>> wrote:
>> So...before I recreate the wheel I thought I'd fire this here.
>> Situation:
>> bro 2.5.4 on a box
>> shipping off conn and ssl logs via rsyslog to another box
>> So I've looked at:
>> https://splunkbase.splunk.com/app/1617/#/overview
>> but this appears pretty old.  So...before I go through the grueling
>> process of manually getting field extractions, I'm betting someone else
>> has already done the splunk-ish work.  Thanks for any assistance.
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org<mailto:bro at bro-ids.org>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180619/81a2c531/attachment.html

More information about the Bro mailing list