Bro +Splunk

Hi all,

Any good documentation for newbies as to how to send bro logs to a
remote splunk server?
What's the requirements on both sides and what files needs to be
touched on the bro to send the logs to the remote splunk server.
I know I installed from the splunk app the "Splunk add on for bro ids"


Yes! Use the Splunk Universal Forwarder and monitor the “/usr/local/bro/logs/current” folder. Make sure you configure Splunk to receive the data. This can be done under settings.


Install the forwarder -

Add the location of your Splunk server -
./splunk add forward-server

Add the monitor command -
./splunk add monitor //usr/local/bro/logs/current

That’s it.


Splunk universal forwarders monitoring the files you’re interested (those in the ./current directory) on the Bro cluster master.

The Splunk TA for Bro on the search head(s), indexer(s), and on the Bro cluster master ( I highly suggest forking it and removing the Splunk_TA_Bro/default/inputs.conf and building your own.

That should get you started.

Hi Patrick, Can’t foind a link to download the universal forwarder. Is it free?




Yes, it is. Just register for a Splunk account, which is free.

Once you register using the link above, it should send you to the free download.