Ok actually two questions:
1) I'm not able to get this to load with either:
@policy/integration/barnyard2
@integration/barnyard2
And from barnyard2 docs:
alert_bro
Ok I've got this loading now with the below in local.bro:
@load policy/integration/barnyard2
tail: loaded_scripts.log: file truncated
/usr/local/bro/share/bro/policy/integration/barnyard2/__load__.bro
/usr/local/bro/share/bro/policy/integration/barnyard2/types.bro
/usr/local/bro/share/bro/policy/integration/barnyard2/main.bro
The next bit...how do I tell bro to open a listening port? Thank you.
James
The next bit...how do I tell bro to open a listening port? Thank you.
@load frameworks/communication/listen
The default port is 47757/tcp, you can redef "Communication::listen_port” to change it.
- Jon
Excellent thank you. Last question...I have this:
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::send_logs += {
Conn::LOG,
};
Will I need to add an additional item? Or will bro pipe the barnyard2 data automatically to elasticsearch? Thanks again.
James
If you don't specify to send the barnyard log to ES, then it won't go (unless you don't specify which logs to send and all logs are sent). The Log::ID for the barnyard2 log is: Barnyard2::LOG
.Seth
Perfect...thanks so much Seth.
Hrmm…maybe I put this in wrong?
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::send_logs += {
Conn::LOG,
Barnyard2::LOG
};
Error in /usr/local/bro/share/bro/site/local.bro, line 91: unknown identifier Barnyard2::LOG, at or near “Barnyard2::LOG”
James
Make sure you're loading the Barnyard2 integration stuff before adding those lines...
@load policy/integration/barnyard2
.Seth
Ah crud…had the Barnyard2::LOG line added on the production box, but the @load policy on the dev box 8-| Just one of those days I guess…thanks again Seth.
James
No problem. I wouldn't even complain if you documented your experiences with this stuff somewhere. 
.Seth
Thanks Seth.
So far I haven't been able to get this to work. Everything seems to be functioning, but I don't get any snort data into elasticsearch (I do get conn.log data though). Info below:
installed brocolli
recompile barnyard2 with ./configure --enable-ipv6 --enable-gre --enable-bro --with-mysql --with-tcl=/usr/local/lib and I do see "checking for broccoli... yes"
local.bro:
@load frameworks/communication/listen
@load policy/integration/barnyard2
@load tuning/logs-to-elasticsearch
redef LogElasticSearch::send_logs += {
Conn::LOG,
Barnyard2::LOG
};
redef LogElasticSearch::server_host = "x.x.x.x";
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:47757 0.0.0.0:* LISTEN 25340/bro
barnyard:
output alert_bro: 127.0.0.1:47757
from runtime with -v:
alert_bro Connecting to Bro (127.0.0.1:47757)...done.
But all I see is conn.log info...no barnyard2 data. Not sure what else to do at this point...thanks Seth.
James