Summary Reports and service listing

The service field in conn.log (and in those summary reports) is the result of Bro's dynamic protocol detection (DPD). One of Bro's protocol analyzers has confirmed that the traffic seen is that protocol.

If you look in conn.log, you should be able to see if the 514 traffic is TCP or UDP. Bro doesn't have a TCP syslog analyzer right now. If it's UDP, something is sending malformed syslog.


Hey Vlad,

It's udp and the traffic is syslog.

I have rsyslog listening on my network and traffic is making it from the
network devices to my syslog server so I don't think it's malformed.

Bro even has the syslog files in its log directory which is why I
thought it odd that things weren't being reported correctly.

Thoughts on where to look next?