Analyzing and Visualizing Bro Logs with Splunk

Does anybody have the slides or video from "Analyzing and Visualizing
Bro Logs with Splunk" talk at Bro Workshop 2011?

-Chris

Hmm, I thought they were put on the website.. I was difficult and used
the google HTML5 slideshow template :slight_smile:

The presentation is attached. Let me know if you have any questions.

The old metrics scripts I mention were indeed obsoleted by 2.0, but I've
updated most of them:

splunk.tgz (866 KB)

It used live data and wasn't recorded. Justin, do you have anything shareable?

There was also the Security Onion app for Splunk that was recently released. Since quite a bit of it revolves around Bro data you could try working with that if you are interested in using Bro data in Splunk.

  .Seth

Justin Azoff <JAzoff <at> albany.edu> writes:

> Does anybody have the slides or video from "Analyzing and Visualizing
> Bro Logs with Splunk" talk at Bro Workshop 2011?
>
> -Chris

Hmm, I thought they were put on the website.. I was difficult and used
the google HTML5 slideshow template

The presentation is attached. Let me know if you have any questions.

The old metrics scripts I mention were indeed obsoleted by 2.0, but I've
updated most of them:

https://github.com/JustinAzoff/bro_scripts/tree/2.0/

If you want to get going quickly, download the Security Onion app
for Splunk and either install it (if it's not a Security Onion system,
you'll want to disable the SOstat scripts) or rename it to a .tar.gz
and extract. If you're already pulling Bro data in, you should be
able to match up the sourcetype names to the props/transforms.conf
then copy the props.conf and transforms.conf files to your Splunk
instance.

That will get you all the field extractions and data into Splunk, and
the Security Onion app will provide some initial dashboards and
panels to give you more ideas.

Brad Shoop