Hi all,
Any good documentation for newbies as to how to send bro logs to a
remote splunk server?
What's the requirements on both sides and what files needs to be
touched on the bro to send the logs to the remote splunk server.
I know I installed from the splunk app the "Splunk add on for bro ids"
Thanks
Monah
Yes! Use the Splunk Universal Forwarder and monitor the “/usr/local/bro/logs/current” folder. Make sure you configure Splunk to receive the data. This can be done under settings.
Instructions
Install the forwarder -
http://www.splunk.com/en_us/download/universal-forwarder.html
Add the location of your Splunk server -
./splunk add forward-server 172.0.0.20:9997
Add the monitor command -
./splunk add monitor //usr/local/bro/logs/current
That’s it.
Splunk universal forwarders monitoring the files you’re interested (those in the ./current directory) on the Bro cluster master.
The Splunk TA for Bro on the search head(s), indexer(s), and on the Bro cluster master (https://splunkbase.splunk.com/app/1617/). I highly suggest forking it and removing the Splunk_TA_Bro/default/inputs.conf and building your own.
That should get you started.
Hi Patrick,
http://www.splunk.com/en_us/download/universal-forwarder.html Can’t foind a link to download the universal forwarder. Is it free?
Thanks
Monah
Yes, it is. Just register for a Splunk account, which is free.
Once you register using the link above, it should send you to the free download.
