28 Jul
2016
28 Jul
'16
7:53 a.m.
Can someone from the community provide more information or examples of
using log writer to create CEF formatted logs for consumption with Arcsight
SIEMs?
it seems that we can not customize arcsight connectors for BRO logs however
since arcsight can accept CEF events directly I would like to experiment
with directly sending CEF formatted BRO events from the standard log set.
Additionally I have 5 BRO sensors and would like to tag each event with the
BRO sensor's hostname before sending it to arc sight. The default logs do
not allow that modification and documentation is not the greatest. If you
want to do this in Arcsight via the connector, which is a version or two
behind, the connector will not allow the adding of the hostname.
So I have attempted to write PERL and PYTHON converters but the performance
of tailing logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending ALL
log events.
In previous questions to the forum the answer was using the logging
framework however I have not seen anymore content on this subject. Thus
here is my formal request:
Can someone show how to use the logging framework to convert or have bro
output the http.log into CEF format? Also can I add custom fields such as
sensor-name and the end of the event or at the beginning near CEF:0.
28 Jul
28 Jul
8:36 a.m.
It might be a little work but utilizing the JSON output (
https://www.bro.org/sphinx/scripts/policy/tuning/json-logs.bro.html) and
sending it to logstash and in turn using mutate/filter in the logstash
config may get you to where you want to be at.
On Thu, Jul 28, 2016 at 10:56 AM Ludwig Goon <lagoon7(a)gmail.com> wrote:
Can someone from the community provide more
information or examples of
using log writer to create CEF formatted logs for consumption with Arcsight
SIEMs?
it seems that we can not customize arcsight connectors for BRO logs
however since arcsight can accept CEF events directly I would like to
experiment with directly sending CEF formatted BRO events from the standard
log set.
Additionally I have 5 BRO sensors and would like to tag each event with
the BRO sensor's hostname before sending it to arc sight. The default logs
do not allow that modification and documentation is not the greatest. If
you want to do this in Arcsight via the connector, which is a version or
two behind, the connector will not allow the adding of the hostname.
So I have attempted to write PERL and PYTHON converters but the
performance of tailing logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending
ALL log events.
In previous questions to the forum the answer was using the logging
framework however I have not seen anymore content on this subject. Thus
here is my formal request:
Can someone show how to use the logging framework to convert or have bro
output the http.log into CEF format? Also can I add custom fields such as
sensor-name and the end of the event or at the beginning near CEF:0.
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
30 Jul
30 Jul
8:15 a.m.
If I were in your shoes and assuming it's possible to add the sensor ID/name to the
bro logs, I would just add that one field (keeping the same format, etc) and not rewrite
everything for CEF.
Then I would press HP support to give me the encrypted bro parser (they have given me
several parsers in the past) and write a parser override to account for the new
sensor/worker field.
Sorry this doesn't answer your question directly, but maybe this route is an option
for you.
________________________________
From: bro-bounces(a)bro.org <bro-bounces(a)bro.org> on behalf of Ludwig Goon
<lagoon7(a)gmail.com>
Sent: Thursday, July 28, 2016 9:53 AM
To: bro(a)bro.org
Subject: [Bro] Revisiting CEF formatted BRO Logs
Can someone from the community provide more information or examples of using log writer to
create CEF formatted logs for consumption with Arcsight SIEMs?
it seems that we can not customize arcsight connectors for BRO logs however since arcsight
can accept CEF events directly I would like to experiment with directly sending CEF
formatted BRO events from the standard log set.
Additionally I have 5 BRO sensors and would like to tag each event with the BRO
sensor's hostname before sending it to arc sight. The default logs do not allow that
modification and documentation is not the greatest. If you want to do this in Arcsight via
the connector, which is a version or two behind, the connector will not allow the adding
of the hostname.
So I have attempted to write PERL and PYTHON converters but the performance of tailing
logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending ALL log events.
In previous questions to the forum the answer was using the logging framework however I
have not seen anymore content on this subject. Thus here is my formal request:
Can someone show how to use the logging framework to convert or have bro output the
http.log into CEF format? Also can I add custom fields such as sensor-name and the end of
the event or at the beginning near CEF:0.
8:29 a.m.
Back in the days of the old bro 1.9 log formats I generated CEF logging.
Not the logging framework but it worked perfectly. Was just a bro script
output to a file.
It's another option.
On Jul 30, 2016 11:25, "Ward Sladek" <wsladekjr(a)hotmail.com> wrote:
If I were in your shoes and assuming it's
possible to add the sensor
ID/name to the bro logs, I would just add that one field (keeping the same
format, etc) and not rewrite everything for CEF.
Then I would press HP support to give me the encrypted bro parser (they
have given me several parsers in the past) and write a parser override to
account for the new sensor/worker field.
Sorry this doesn't answer your question directly, but maybe this route is
an option for you.
------------------------------
*From:* bro-bounces(a)bro.org <bro-bounces(a)bro.org> on behalf of Ludwig
Goon <lagoon7(a)gmail.com>
*Sent:* Thursday, July 28, 2016 9:53 AM
*To:* bro(a)bro.org
*Subject:* [Bro] Revisiting CEF formatted BRO Logs
Can someone from the community provide more information or examples of
using log writer to create CEF formatted logs for consumption with Arcsight
SIEMs?
it seems that we can not customize arcsight connectors for BRO logs
however since arcsight can accept CEF events directly I would like to
experiment with directly sending CEF formatted BRO events from the standard
log set.
Additionally I have 5 BRO sensors and would like to tag each event with
the BRO sensor's hostname before sending it to arc sight. The default logs
do not allow that modification and documentation is not the greatest. If
you want to do this in Arcsight via the connector, which is a version or
two behind, the connector will not allow the adding of the hostname.
So I have attempted to write PERL and PYTHON converters but the
performance of tailing logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending
ALL log events.
In previous questions to the forum the answer was using the logging
framework however I have not seen anymore content on this subject. Thus
here is my formal request:
Can someone show how to use the logging framework to convert or have bro
output the http.log into CEF format? Also can I add custom fields such as
sensor-name and the end of the event or at the beginning near CEF:0.
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
27 Aug
27 Aug
9:22 a.m.
Hi,
In Arcsight speak: You could also just create a flex connector to read the
ascii/json bro logs and spit out CEF. The easy way is to create one flex for
each file you're reading; the much more fun way is to craft one big one that
handles all the different files using a multi-file reader (There is an old
project on github that did this.).
I took the one-flex-per-filetype approach. Took a few hours to get logs
flowing.
Pat
From: bro-bounces(a)bro.org [mailto:bro-bounces@bro.org] On Behalf Of Ward
Sladek
Sent: Saturday, July 30, 2016 11:15 AM
To: Ludwig Goon <lagoon7(a)gmail.com>om>; bro(a)bro.org
Subject: Re: [Bro] Revisiting CEF formatted BRO Logs
If I were in your shoes and assuming it's possible to add the sensor ID/name
to the bro logs, I would just add that one field (keeping the same format,
etc) and not rewrite everything for CEF.
Then I would press HP support to give me the encrypted bro parser (they have
given me several parsers in the past) and write a parser override to account
for the new sensor/worker field.
Sorry this doesn't answer your question directly, but maybe this route is an
option for you.
_____
From: bro-bounces(a)bro.org <mailto:bro-bounces@bro.org> <bro-bounces(a)bro.org
<mailto:bro-bounces@bro.org> > on behalf of Ludwig Goon <lagoon7(a)gmail.com
<mailto:lagoon7@gmail.com> >
Sent: Thursday, July 28, 2016 9:53 AM
To: bro(a)bro.org <mailto:bro@bro.org>
Subject: [Bro] Revisiting CEF formatted BRO Logs
Can someone from the community provide more information or examples of using
log writer to create CEF formatted logs for consumption with Arcsight SIEMs?
it seems that we can not customize arcsight connectors for BRO logs however
since arcsight can accept CEF events directly I would like to experiment
with directly sending CEF formatted BRO events from the standard log set.
Additionally I have 5 BRO sensors and would like to tag each event with the
BRO sensor's hostname before sending it to arc sight. The default logs do
not allow that modification and documentation is not the greatest. If you
want to do this in Arcsight via the connector, which is a version or two
behind, the connector will not allow the adding of the hostname.
So I have attempted to write PERL and PYTHON converters but the performance
of tailing logs and sending all events is challenging.
Also using brocut requires scripting and again not sure if I am sending ALL
log events.
In previous questions to the forum the answer was using the logging
framework however I have not seen anymore content on this subject. Thus here
is my formal request:
Can someone show how to use the logging framework to convert or have bro
output the http.log into CEF format? Also can I add custom fields such as
sensor-name and the end of the event or at the beginning near CEF:0.
1928
days inactive
1958
days old
4 comments
5 participants
participants (5)
-
Jason Carr -
Ludwig Goon -
Neslog -
Patrick Cain -
Ward Sladek