After recent updates BRO IDS logs has been broken using old configuration files. This blog posts introduces how to install Splunk Forwarder, Create Splunk Bro Index, Adding configuration file to separate each log file to its own sourcetype. Before we forward to the Splunk server, let’s make sure the indexes are created. Go to Settings -> Indexes -> New Index. To create an index called bro, add “Bro” to Index Name then click Save. If you have done this successfully, it should look like this:
Now let’s switch back to the Bro Server
Enable Splunk Receiving option by going to Settings -> Forwarding and Receiving -> Configure Receiving -> New -> Add what port you want to receive data in and then Save. Default port is usually 9997. (Recommend changing this). It should look like this after you are done adding the receiving port. Now let’s switch over to our bro server where we want to forward logs from. We will need to download a Splunk forwarder to send logs easily from this server. Let’s download the Splunk Forwarder via command line using wget by running the following command -
wget -O splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-x86_64.rpm ‘https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.0.1&product=universalforwarder&filename=splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-x86_64.rpm&wget=true’
We will use Red hat Package manager to install Splunkforwarder to allow us to push logs to the Splunk index.
rpm -i splunkforwarder-7.0.1-2b5b15c4ee89-linux-2.6-x86_64.rpm
By default, this installs the Splunkforwarder to /opt/splunkforwarder/. Now let’s Splunk forwarder to start on boot by running:
/opt/splunkforwarder/bin/splunk enable boot-start
Now, let’s add the Splunk server as our forward server; If you haven’t changed your password credentials are admin:changeme. IP ADDR 192.168.1.17 is our Splunk server where logs are being stored.
/opt/splunkforwarder/bin/splunk add forward-server 192.168.1.17:9997
Now that we have added the Splunk server to our forwarding list, we want to edit our local/inputs.conf file located /opt/splunkforwarder/etc/system/local/inputs.conf. We want to edit this file to this splunk_bro_input.conf. This will allow you to separate the bro logs based on their corresponding sourcetype and avoids the too-small issue. Let’s add the /var/log/bro/current/ with any files that ends in .log.
/opt/splunkforwarder/bin/splunk add monitor “/var/log/bro/current/*.log” -index bro
Now let’s restart the service to reload the configuration.
service splunk restart
If Bro is deployed, Splunk is receiving, Firewalls are interfering then you should be able to see the logs being pushed in. Logs are currently not being parsed. This will be left for the next blog.