[Bro] Another assist with Bro and Splunk
Seth Hall
seth at corelight.com
Thu Jun 21 11:32:37 PDT 2018
On 20 Jun 2018, at 1:01, Mike Eriksson wrote:
> I believe that Corelight have published some of their stuff for Splunk
> as
> well. It could be well worth having a look for those at Splunkbase
> too.
Yep! I believe we've already helped a few opensource users get it
working for themselves too. We also published a Bro package to help
people get their data from Bro prepped in a way that it's easily
consumable by Splunk here:
https://packages.bro.org/packages/view/73d21892-4fb7-11e8-88be-0a645a3f3086
I know that it's making the logs into json which increases indexing
costs, but there aren't really any other flexible and resilient
mechanisms that I've heard of with Splunk.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro
mailing list