[Bro] An assist with Splunk addon
Joshua Buysse
buysse at umn.edu
Thu May 17 09:50:26 PDT 2018
This looks like you’re sending “cooked” Splunk output to a TCP input, which is suitable for syslog data or similar (though I would recommend using an intermediate like syslog-ng and picking up the files rather than having splunkd receive syslog directly).
If you’re using the GUI, you want to add the input port from Settings -> Data -> Forwarding and Receiving and configure a port for receiving the cooked data there.
-J
--
Joshua Buysse
University of Minnesota - University Information Security
"On two occasions I have been asked, 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage
> On May 17, 2018, at 11:25, James Lay <jlay at slave-tothe-box.net> wrote:
>
> All,
>
> So I've been dabbling with Splunk, Bro, and the Corelight apps. I setup a listener, installed the App on the Splunk server, and installed the Universal Forwarder (just trying it out; I know I can just use rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal Forwarder to a listener, and install the TA addon on the machine running bro and the Universal Forwarder. Alas, my output is...unexpected:
>
> <2018-05-17 10_21_02-Search _ Splunk 7.1.0.png>
>
> Anyone have any hints on what the issue might be? Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180517/cd9b90a3/attachment.html
More information about the Bro
mailing list