Since then, I've learnt that Bro has now been renamed to Zeek. Feel free to read more about the name change here.
In this series of post, we focus on visualizing some of the data that Bro has produced. As we continue building on this series in the future, we will look at writing some basic bro signatures and scripts.
To help us with visualizing this data, we will be working with Splunk. Let's first configure Splunk to ingest the data. At this point, I'm assuming you already have Splunk installed. In my example, Splunk is running on the same machine that Bro is on. Let's configure Splunk's "Inputs.conf".
securitynik@securitynik-host:#cd /opt/splunk/etc/apps/search securitynik@securitynik-host:/opt/splunk/etc/apps/search#vi local/inputs.conf [monitor:///opt/bro/logs/current] disabled = false host = securitynik-monitoring-bro whitelist = \.log$ sourcetype = Bro-Security-Monitoring
Now that we have Splunk configured to ingest the Bro Data, let's now move to building our first Widget for the Dashboard. Similarly to assuming you have Splunk installed, I am assuming you have a Dashboard. If you don't have that and need guidance on how to set one up, drop me a line I can put together a quick post.
See you in our first widget where we focus on Zeek's (Bro) conn.log - connection logs
Posts in this series:
Visualizing your Zeek (Bro) data with Splunk - The Setup
Visualizing your Zeek (Bro) data with Splunk - conn.log (connection logs)
Visualizing your Zeek (Bro) data with Splunk - http.log (http logs)
Visualizing your Zeek (Bro) data with Splunk - dns.log (connection logs)
Visualizing your Zeek (Bro) data with Splunk - x509.log (connection logs)
No comments:
Post a Comment