topic Bro 2.6.4 forward to splunk in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Bro-2-6-4-forward-to-splunk/m-p/471748#M81055 <P>I am not the best with setup so i am looking for an all in one step by step for getting bro logs into splunk. I previously had the logs forwarded but the fields were not showing up. Here is my setup thus far:<BR /> Bro 2.6.4 on Ubuntu server 18.04 LTS (fresh Install based on <A href="https://wpcademy.com/how-to-install-bro-network-security-monitor-on-ubuntu-16-04-lts/">https://wpcademy.com/how-to-install-bro-network-security-monitor-on-ubuntu-16-04-lts/</A> minus the geoIP stuff)<BR /> Splunk Enterprise 8.0.1 (fresh install based on <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/InstallonLinux">https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/InstallonLinux</A>)<BR /> started and created admin<BR /> configured to start on boot<BR /> I just see so many bits and pieces of what to do next to get Bro logs into Splunk i find myself doing the trial and error thing.<BR /> Thank you for any help (i know this can't be that difficult)</P> Sat, 21 Dec 2019 13:16:54 GMT tazzvon 2019-12-21T13:16:54Z Bro 2.6.4 forward to splunk https://community.splunk.com/t5/Getting-Data-In/Bro-2-6-4-forward-to-splunk/m-p/471748#M81055 <P>I am not the best with setup so i am looking for an all in one step by step for getting bro logs into splunk. I previously had the logs forwarded but the fields were not showing up. Here is my setup thus far:<BR /> Bro 2.6.4 on Ubuntu server 18.04 LTS (fresh Install based on <A href="https://wpcademy.com/how-to-install-bro-network-security-monitor-on-ubuntu-16-04-lts/">https://wpcademy.com/how-to-install-bro-network-security-monitor-on-ubuntu-16-04-lts/</A> minus the geoIP stuff)<BR /> Splunk Enterprise 8.0.1 (fresh install based on <A href="https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/InstallonLinux">https://docs.splunk.com/Documentation/Splunk/8.0.1/Installation/InstallonLinux</A>)<BR /> started and created admin<BR /> configured to start on boot<BR /> I just see so many bits and pieces of what to do next to get Bro logs into Splunk i find myself doing the trial and error thing.<BR /> Thank you for any help (i know this can't be that difficult)</P> Sat, 21 Dec 2019 13:16:54 GMT https://community.splunk.com/t5/Getting-Data-In/Bro-2-6-4-forward-to-splunk/m-p/471748#M81055 tazzvon 2019-12-21T13:16:54Z Re: Bro 2.6.4 forward to splunk https://community.splunk.com/t5/Getting-Data-In/Bro-2-6-4-forward-to-splunk/m-p/471749#M81056 <P>@tazzvon </P> <P>Have you tried <STRONG>Splunk Add-on for Zeek aka Bro</STRONG>? </P> <P>The Splunk Add-on for Zeek aka Bro supports two log formats: TSV and JSON. JSON format is support for <STRONG>Zeek aka Bro</STRONG> versions 2.3.x, 2.4.x, and 2.5.x. Not sure about 2.6.x but you can try if there are no change logs. </P> <P>Splunkbase link: <A href="https://splunkbase.splunk.com/app/1617/">https://splunkbase.splunk.com/app/1617/</A> ?<BR /> Documentation: <A href="https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Description">https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Description</A></P> <P>You can find bro configuration in below link.<BR /> <A href="https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Configuration#Configure_Bro_log_monitoring">https://docs.splunk.com/Documentation/AddOns/released/BroIDS/Configuration#Configure_Bro_log_monitoring</A></P> Tue, 24 Dec 2019 11:00:29 GMT https://community.splunk.com/t5/Getting-Data-In/Bro-2-6-4-forward-to-splunk/m-p/471749#M81056 kamlesh_vaghela 2019-12-24T11:00:29Z