[Zeek] Documentation about Corelight's Splunk Apps for Zeek

ericooi at gmail.com ericooi at gmail.com
Fri Dec 20 06:43:12 PST 2019 

Cool, then that should work. Like I said, your environment and requirements will be unique and to adjust as needed.  The entire guide is meant just as a way to help people get started.  It’s not meant to be a one size fits all solution.

> On Dec 20, 2019, at 8:41 AM, Carlos Lopez <clopmz at outlook.com> wrote:
> 
> I agree with both of you. But this is a little lab to accomplish some tests using Splunk free version ( I don’t expect more than 500 MiB daily logs ��).
>  
> On the other side, Elastic is too expensive in maintenance and for me it is not an option in my case. With splunk things just work ��
>  
> -- 
> Regards,
> C. L. Martinez
>  
> From: Patrick Kelley <patrick.kelley at criticalpathsecurity.com <mailto:patrick.kelley at criticalpathsecurity.com>>
> Date: Friday, 20 December 2019 at 15:35
> To: "ericooi at gmail.com <mailto:ericooi at gmail.com>" <ericooi at gmail.com <mailto:ericooi at gmail.com>>
> Cc: Carlos Lopez <clopmz at outlook.com <mailto:clopmz at outlook.com>>, "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
> Subject: Re: [Zeek] Documentation about Corelight's Splunk Apps for Zeek
>  
> Seconding the statements of Eric, Splunk costs can get to be expensive extremely quick with Zeek. 
> 
> My only secondary suggestion is that you ingest individual logs to provide a bit more granularity and control.  You might not wish to ingest every log due to the processing and storage costs.
>  
> In the past, I've tried leveraging Splunk multiple times due to my familiarity.  In the end, we've built our stack around Elastic. 
>  
> We were just spending too much time servicing the hammer, instead of building the house. 
>  
> On Fri, Dec 20, 2019 at 9:29 AM ericooi at gmail.com <mailto:ericooi at gmail.com> <ericooi at gmail.com <mailto:ericooi at gmail.com>> wrote:
> Hi Carlos,
>  
> “Best” is subjective.  For someone who wants all logs and a short inputs.conf file, your suggestion will work.  My example is geared towards the fact that these logs are large and depending on your Splunk license and requirements, you may not actually want to ingest every single log file into your system.  Ultimately, you know your environment and needs best which is why I also state in the writeup:
>  
> "An example inputs.conf is below but may or may not include the logs you wish to ingest...Modify the index and sourcetype configurations to your needs.”
>  
> Hope that helps!
> Eric
>  
> On Dec 20, 2019, at 8:22 AM, Carlos Lopez <clopmz at outlook.com <mailto:clopmz at outlook.com>> wrote:
>  
> Thanks Eric. But I have doubt with your setup. For inputs.conf, maybe this configuration is best?
>  
> [monitor:///opt/zeek/logs/spool/current <monitor:///opt/zeek/logs/spool/current>]
> disabled = 0
> sourcetype = zeek:json
> whitelist = \.log$
>  
> instead of to put file by file?
> -- 
> Regards,
> C. L. Martinez
>  
> From: Eric Ooi <ericooi at gmail.com <mailto:ericooi at gmail.com>>
> Date: Friday, 20 December 2019 at 13:52
> To: Amber Graner <akgraner at corelight.com <mailto:akgraner at corelight.com>>, Carlos Lopez <clopmz at outlook.com <mailto:clopmz at outlook.com>>
> Cc: "zeek at zeek.org <mailto:zeek at zeek.org>" <zeek at zeek.org <mailto:zeek at zeek.org>>
> Subject: Re: [Zeek] Documentation about Corelight's Splunk Apps for Zeek
>  
> Assuming you’re doing an install on a standalone Splunk server, you can use my guide here: https://www.ericooi.com/zeekurity-zen-part-iii-how-to-send-zeek-bro-logs-to-splunk/ <https://www.ericooi.com/zeekurity-zen-part-iii-how-to-send-zeek-bro-logs-to-splunk/>
>  
>  
> From: zeek-bounces at zeek.org <mailto:zeek-bounces at zeek.org> on behalf of Amber Graner <akgraner at corelight.com <mailto:akgraner at corelight.com>>
> Sent: Friday, December 20, 2019 6:13 AM
> To: Carlos Lopez
> Cc: zeek at zeek.org <mailto:zeek at zeek.org>
> Subject: Re: [Zeek] Documentation about Corelight's Splunk Apps for Zeek 
>  
> Hi Carlos, 
>  
> As that is a Corelight offering and not something maintained by the Zeek Project or the community, we’d have to refer you to Corelight.
>  
> Let me find out who you need to talk to and I’ll make introductions. 
>  
> Thanks,
> ~Amber 
>  
> On Fri, Dec 20, 2019 at 3:56 AM Carlos Lopez <clopmz at outlook.com <mailto:clopmz at outlook.com>> wrote:
> Hi all,
>  
> I would like to install Corelight App For Splunk and TA for Corelight, but there is no documentation about how to accomplish it … All info points tohttps://www.corelight.com/support/ <https://www.corelight.com/support/>, but there is no docs in there …
>  
> Any idea?
>  
>  
> -- 
> Regards,
> C. L. Martinez
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
> -- 
>  
> Amber Graner
> Director of Community
> Corelight, Inc
>  
> 828.582.9469
>  
> Schedule time on my calendar here. <https://calendly.com/amber_graner>
>  
>   Error! Filename not specified. Error! Filename not specified.
>  
>  * Ask me about how you can participate in the Zeek (formerly Bro) community.
>  * Remember - ZEEK AND YOU SHALL FIND!!
>  
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org <mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek <http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek>
> 
>  
> -- 
>  
> Patrick Kelley, CISSP, C|EH, ITIL
> CTO
> patrick.kelley at criticalpathsecurity.com <mailto:patrick.kelley at criticalpathsecurity.com>
> (o) 770-224-6482

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191220/59093efe/attachment-0001.html

More information about the Zeek mailing list