Anyone feeding Bro logs to ArcSight? If so, could you ping me back, please? We can take it off-list.
I’m having issues with their connector. I know… talk to the vendor… but that’s not always as fruitful as one would like to think.
Thanks,
Michael
Sounds worthwhile, please keep it on list!
.Seth
yup - a flex connector is your answer.
-brad
Did you try their canned “Bro IDS NG” connector? “NG” is their way of saying v2.1.
It parses OK, but I’m having issues with log rotation. Could you share your agent.properties file for the rotation options?
Thanks again,
Michael
we did, but as we customize our format, it didn’t work. and we have a lot of sensors reporting in via syslog forwarding, so the flexconnector was the most reliable way to do this. syslog subagent, basically.
-brad
What do you mean you customize your format?
.Seth
in the .bro files, some changes have been made to the format to better suite our needs. as such that completely breaks the arcsight connector.
I made a quick flex connector (file reader) for just the http.log as a test. It all works fine, and it handles file rotation without the problems I am seeing with the canned connector.
There’s a handy function built into the flex connector, _createLocalTimeStampFromSecondsSinceEpoch(), to convert the time to a format that ESM can deal with. Everything else was very simple and straightforward.
Hopefully the thread will help someone else.
Regards,
Michael