All,
So I’ve been dabbling with Splunk, Bro, and the Corelight apps. I setup a listener, installed the App on the Splunk server, and installed the Universal Forwarder (just trying it out; I know I can just use rsyslog/syslog-ng) on the machine that’s running bro, pointed the Universal Forwarder to a listener, and install the TA addon on the machine running bro and the Universal Forwarder. Alas, my output is…unexpected:
Anyone have any hints on what the issue might be? Thank you.
James
This looks like you’re sending “cooked” Splunk output to a TCP input, which is suitable for syslog data or similar (though I would recommend using an intermediate like syslog-ng and picking up the files rather than having splunkd receive syslog directly).
If you’re using the GUI, you want to add the input port from Settings → Data → Forwarding and Receiving and configure a port for receiving the cooked data there.
-J
This is because the indexer (listener) is expecting Splunk “cooked” data. Your inputs.conf setting on the indexer is probably something like:
[tcp://:9997]
it should be:
[splunktcp://:9997]
https://docs.splunk.com/Documentation/Splunk/7.1.0/Admin/Inputsconf
Steve
Ok…so now I see data when searching:
sourcetype=“conn”
However the Corelight App proper shows no info…any other hints? Thank you.
James
I haven’t played with the Corelight App so I’m not sure what the index names they’re looking for are, but usually I’ve found when TAs don’t show anything, yet I can see it search, it’s because the index name is not the same.
Echoing the same, but with some additional insight. When app developers build out a TA and Splunk app, they generally make a best effort to anticipate what index and sourcetype an individual’s data will claim when ingested. Sometimes that will fail.
However, this generally isn’t very hard to remedy. If you do the following, you should be able to associate the proper information.
In the search window, you should be able to find the sourcetype and source that is correlated with your Bro data. With that information, go to the Corelight App and press the “edit” button in the top right-hand corner of the window. You should then see some magnifying glass icons on the panels. If you click on those, you can substitute the sourcetype and source data in the search query. When you press “Save”, the panels should refresh and render your data.
If this isn’t helpful, I apologize.
Feel free to reach out if you’d like more assistance.
-PK
Thanks all…just now getting back to this…crazy last 30 days…I’ll make some tweaks and see what happens.
James
