[Bro] An assist with Splunk addon

Samuel Oehlert soehlert at es.net
Fri May 18 09:41:45 PDT 2018 

I haven't played with the Corelight App so I'm not sure what the index
names they're looking for are, but usually I've found when TAs don't show
anything, yet I can see it search, it's because the index name is not the
same.

- Sam

On Thu, May 17, 2018 at 3:00 PM James Lay <jlay at slave-tothe-box.net> wrote:

> Ok....so now I see data when searching:
>
> sourcetype="conn"
>
> However the Corelight App proper shows no info....any other hints?  Thank
> you.
>
> James
>
> On 2018-05-17 11:39, James Lay wrote:
>
> Thanks all...puts me on the right track.
>
> James
>
>
>
> On 2018-05-17 11:19, Steve Brant wrote:
>
> This is because the indexer (listener) is expecting Splunk "cooked" data.
> Your inputs.conf setting on the indexer is probably something like:
>
> [tcp://:9997]
>
> it should be:
>
> [splunktcp://:9997]
>
> https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf
>
> Steve
>
> On Thu, May 17, 2018 at 9:37 AM James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> All,
>>
>> So I've been dabbling with Splunk, Bro, and the Corelight apps.  I setup
>> a listener, installed the App on the Splunk server, and installed the
>> Universal Forwarder (just trying it out; I know I can just use
>> rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal
>> Forwarder to a listener, and install the TA addon on the machine running
>> bro and the Universal Forwarder.  Alas, my output is...unexpected:
>>
>>
>> Anyone have any hints on what the issue might be?  Thank you.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180518/93ff91a1/attachment.html

More information about the Bro mailing list