[Bro] An assist with Splunk addon
James Lay
jlay at slave-tothe-box.net
Thu May 17 10:39:00 PDT 2018
Thanks all...puts me on the right track.
James
On 2018-05-17 11:19, Steve Brant wrote:
> This is because the indexer (listener) is expecting Splunk "cooked" data. Your inputs.conf setting on the indexer is probably something like:
>
> [tcp://:9997]
>
> it should be:
>
> [splunktcp://:9997]
>
> https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf
>
> Steve
>
> On Thu, May 17, 2018 at 9:37 AM James Lay <jlay at slave-tothe-box.net> wrote:
>
>> All,
>>
>> So I've been dabbling with Splunk, Bro, and the Corelight apps. I setup a listener, installed the App on the Splunk server, and installed the Universal Forwarder (just trying it out; I know I can just use rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal Forwarder to a listener, and install the TA addon on the machine running bro and the Universal Forwarder. Alas, my output is...unexpected:
>>
>> Anyone have any hints on what the issue might be? Thank you.
>>
>> James _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180517/23cfc609/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 24445 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180517/23cfc609/attachment-0001.bin
More information about the Bro
mailing list