Does anybody have the slides or video from "Analyzing and Visualizing
Bro Logs with Splunk" talk at Bro Workshop 2011?
-Chris
Does anybody have the slides or video from "Analyzing and Visualizing
Bro Logs with Splunk" talk at Bro Workshop 2011?
-Chris
Hmm, I thought they were put on the website.. I was difficult and used
the google HTML5 slideshow template
The presentation is attached. Let me know if you have any questions.
The old metrics scripts I mention were indeed obsoleted by 2.0, but I've
updated most of them:
splunk.tgz (866 KB)
It used live data and wasn't recorded. Justin, do you have anything shareable?
There was also the Security Onion app for Splunk that was recently released. Since quite a bit of it revolves around Bro data you could try working with that if you are interested in using Bro data in Splunk.
.Seth
Justin Azoff <JAzoff <at> albany.edu> writes:
> Does anybody have the slides or video from "Analyzing and Visualizing
> Bro Logs with Splunk" talk at Bro Workshop 2011?
>
> -ChrisHmm, I thought they were put on the website.. I was difficult and used
the google HTML5 slideshow templateThe presentation is attached. Let me know if you have any questions.
The old metrics scripts I mention were indeed obsoleted by 2.0, but I've
updated most of them:GitHub - JustinAzoff/bro_scripts: Analysis scripts for the Bro Intrusion Detection System
If you want to get going quickly, download the Security Onion app
for Splunk and either install it (if it's not a Security Onion system,
you'll want to disable the SOstat scripts) or rename it to a .tar.gz
and extract. If you're already pulling Bro data in, you should be
able to match up the sourcetype names to the props/transforms.conf
then copy the props.conf and transforms.conf files to your Splunk
instance.
That will get you all the field extractions and data into Splunk, and
the Security Onion app will provide some initial dashboards and
panels to give you more ideas.
Brad Shoop