Can someone from the community provide more information or examples of using log writer to create CEF formatted logs for consumption with Arcsight SIEMs?
it seems that we can not customize arcsight connectors for BRO logs however since arcsight can accept CEF events directly I would like to experiment with directly sending CEF formatted BRO events from the standard log set.
Additionally I have 5 BRO sensors and would like to tag each event with the BRO sensor’s hostname before sending it to arc sight. The default logs do not allow that modification and documentation is not the greatest. If you want to do this in Arcsight via the connector, which is a version or two behind, the connector will not allow the adding of the hostname.
So I have attempted to write PERL and PYTHON converters but the performance of tailing logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending ALL log events.
In previous questions to the forum the answer was using the logging framework however I have not seen anymore content on this subject. Thus here is my formal request:
Can someone show how to use the logging framework to convert or have bro output the http.log into CEF format? Also can I add custom fields such as sensor-name and the end of the event or at the beginning near CEF:0.
If I were in your shoes and assuming it’s possible to add the sensor ID/name to the bro logs, I would just add that one field (keeping the same format, etc) and not rewrite everything for CEF.
Then I would press HP support to give me the encrypted bro parser (they have given me several parsers in the past) and write a parser override to account for the new sensor/worker field.
Sorry this doesn’t answer your question directly, but maybe this route is an option for you.
Back in the days of the old bro 1.9 log formats I generated CEF logging. Not the logging framework but it worked perfectly. Was just a bro script output to a file.
In Arcsight speak: You could also just create a flex connector to read the ascii/json bro logs and spit out CEF. The easy way is to create one flex for each file you’re reading; the much more fun way is to craft one big one that handles all the different files using a multi-file reader (There is an old project on github that did this.).
I took the one-flex-per-filetype approach. Took a few hours to get logs flowing.