Another assist with Bro and Splunk

So...before I recreate the wheel I thought I'd fire this here. Situation:

bro 2.5.4 on a box
shipping off conn and ssl logs via rsyslog to another box

So I've looked at:

but this appears pretty old. So...before I go through the grueling process of manually getting field extractions, I'm betting someone else has already done the splunk-ish work. Thanks for any assistance.


Typically, I just ingest the json logs without issue.

Are you experiencing a particular issue?

Patrick Kelley, CISSP, C|EH, ITIL

Careful with the JSON logs. They use significantly more index.

That add-on does work with some minor modifications.

You’ll need to add a local transforms.conf to define a new REGEX and you’ll probably want to turn off the pcap monitor.


REGEX = (?:[a-zA-Z0-9]+\.)?([a-zA-Z0-9_]+)\.log

Appreciate that thanks Stephen....just making my own field extractions as we speak(type?)...easier than logstash :wink:


Glad to hear/see that you have it sorted.

Yes. It’s an increase. Yes. Cutting them up in Splunk is much easier than Logstash.

Patrick Kelley, CISSP, C|EH, ITIL

I have had a few open tickets with Splunk to update the Bro-IDS Splunk app, but to no avail. PacketSled, a Bro based security tool, has alluded to the fact that they plan to publish an open source based Bro Splunk App. I also wanted to say that if you use the intel framework on Bro, you will have to add your own props and transforms entries, but there are some out on the internet others have done. I did a lot of work getting Bro logs into Azure HDInsight (Microsoft Hadoop), but am have only done the basics on writing extractions for Bro in Splunk. Thankfully the tab based delimiters make field extraction relatively painless in search time field extractions in Splunk.

Good luck, and maybe we can all find a place to share our Splunk files to help others…

I believe that Corelight have published some of their stuff for Splunk as well. It could be well worth having a look for those at Splunkbase too.

Cheers, Mike

Yep! I believe we've already helped a few opensource users get it working for themselves too. We also published a Bro package to help people get their data from Bro prepped in a way that it's easily consumable by Splunk here:

I know that it's making the logs into json which increases indexing costs, but there aren't really any other flexible and resilient mechanisms that I've heard of with Splunk.