[Bro] Another assist with Bro and Splunk

Seth Hall seth at corelight.com
Thu Jun 21 11:32:37 PDT 2018



On 20 Jun 2018, at 1:01, Mike Eriksson wrote:

> I believe that Corelight have published some of their stuff for Splunk 
> as
> well. It could be well worth having a look for those at Splunkbase 
> too.

Yep!  I believe we've already helped a few opensource users get it 
working for themselves too.  We also published a Bro package to help 
people get their data from Bro prepped in a way that it's easily 
consumable by Splunk here:
	https://packages.bro.org/packages/view/73d21892-4fb7-11e8-88be-0a645a3f3086

I know that it's making the logs into json which increases indexing 
costs, but there aren't really any other flexible and resilient 
mechanisms that I've heard of with Splunk.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the Bro mailing list