[Bro] An assist with Splunk addon

James Lay jlay at slave-tothe-box.net
Thu May 17 12:58:02 PDT 2018


Ok....so now I see data when searching: 

sourcetype="conn" 

However the Corelight App proper shows no info....any other hints? 
Thank you. 

James 

On 2018-05-17 11:39, James Lay wrote:

> Thanks all...puts me on the right track. 
> 
> James 
> 
> On 2018-05-17 11:19, Steve Brant wrote: 
> This is because the indexer (listener) is expecting Splunk "cooked" data. Your inputs.conf setting on the indexer is probably something like:  
> 
> [tcp://:9997] 
> 
> it should be: 
> 
> [splunktcp://:9997] 
> 
> https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf 
> 
> Steve 
> 
> On Thu, May 17, 2018 at 9:37 AM James Lay <jlay at slave-tothe-box.net> wrote: 
> 
> All,
> 
> So I've been dabbling with Splunk, Bro, and the Corelight apps.  I setup a listener, installed the App on the Splunk server, and installed the Universal Forwarder (just trying it out; I know I can just use rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal Forwarder to a listener, and install the TA addon on the machine running bro and the Universal Forwarder.  Alas, my output is...unexpected: 
> 
> Anyone have any hints on what the issue might be?  Thank you. 
> 
> James _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro 

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180517/50dfdd84/attachment.html 


More information about the Bro mailing list