- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How can I get the Bro-events in my own index (and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the Splunk Add-on for Bro IDS to parse pcap files, get the metadata from them as bro logfiles and parse these logfiles into a Splunk index.
The problem I have is that I only can put the data in a dedicated index "bro". But I want to be able to put the data in my own index and not in this bro index.
I tried so things with no result. It is possible to name an index in the input.conf, but this only works for the sourcetype "pcap_monitor" and not for the sourcetypes "bro_*". I also tried to monitor the logfiles separately with an named index, but the data still ends in the bro index. I also changed the index.conf file in the apps directory, but this doesn't make any difference too.
In the documentation of the "All Bro events are stored in a dedicated index named bro." There is nothing on how to put data in another index. So it looks like it is not possible?
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the problem. The setting for the index was overruled by the "BroRouteIndex" setting in the file "default/transforms.conf". I commented it out and now the index property in the inputs.conf isn't ignored anymore. It looks like the data is going to the proper index now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
side question arthurbreuer
My bro sensors name the the log files conn.log, weird.log, http.log etc etc. I'm trying to use the new Splunk_TA_bro but in the props.conf on my indexer it seems to hate the fact that my bro log aren't named bro.whateverfile.log what are folks doing to work around this? I've set the source to [source::...*.log] then in the enrich bro logs area I've set the regex to this:
[(?::){0}.log]
[(?::){0}bro_*] original
then in my transforms I set the [BroAutoType] to:
REGEX = ([a-zA-Z]+).log
REGEX = (?:[a-zA-Z0-9]+.)?([a-zA-Z0-9]+).log original
I stood up a test bro sensor today to see if I could change the way bro writes it's logs but it didn't jump out at me.....
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I found the problem. The setting for the index was overruled by the "BroRouteIndex" setting in the file "default/transforms.conf". I commented it out and now the index property in the inputs.conf isn't ignored anymore. It looks like the data is going to the proper index now.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
