https://community.splunk.com/t5/Splunk-Search/Multiple-Searches-with-BRO-LOGS-Trying-to-correlate-certificate/m-p/337197#M162464 <P>In BRO 2.5.X there are about 3 or 4 log files that have SSL Certificate information: x509.log, ssl.log, conn.log and dns.log. In simplest process I think I need to either build a series of searches or use multisearch or join in SPL. Infact I would like for it all to be SPL. So not all fields are in all logs so I have to connect field A in log A with field A in log B create a new field B from log A&amp;B and use that in log C to get fields D&amp;E, then create dashboard or I can start off with a table. (Each log is a separate source type)<BR /> Some of the fields in BRO that are applicable is uid, fuid, CN, id_resp_h, txhost, rxhost.</P> <P>Thus.</P> <OL> <LI>Gather all certificate activity using the CN field and a dedup to get a list of certificates. (ssl.log)</LI> <LI>Take that list of CN and use that in x509.log to get all the certificate information (serial, expiry date, issuer, etc)</LI> <LI>Take CN field and certificate information and use it in the dns.log</LI> <LI>Convert some fields in to human readable format and create table with fields.</LI> </OL> <P>Can anyone give some guidance on this?</P> Tue, 29 Sep 2020 18:21:49 GMT baegoon 2020-09-29T18:21:49Z https://community.splunk.com/t5/Splunk-Search/Multiple-Searches-with-BRO-LOGS-Trying-to-correlate-certificate/m-p/337197#M162464 <P>In BRO 2.5.X there are about 3 or 4 log files that have SSL Certificate information: x509.log, ssl.log, conn.log and dns.log. In simplest process I think I need to either build a series of searches or use multisearch or join in SPL. Infact I would like for it all to be SPL. So not all fields are in all logs so I have to connect field A in log A with field A in log B create a new field B from log A&amp;B and use that in log C to get fields D&amp;E, then create dashboard or I can start off with a table. (Each log is a separate source type)<BR /> Some of the fields in BRO that are applicable is uid, fuid, CN, id_resp_h, txhost, rxhost.</P> <P>Thus.</P> <OL> <LI>Gather all certificate activity using the CN field and a dedup to get a list of certificates. (ssl.log)</LI> <LI>Take that list of CN and use that in x509.log to get all the certificate information (serial, expiry date, issuer, etc)</LI> <LI>Take CN field and certificate information and use it in the dns.log</LI> <LI>Convert some fields in to human readable format and create table with fields.</LI> </OL> <P>Can anyone give some guidance on this?</P> Tue, 29 Sep 2020 18:21:49 GMT https://community.splunk.com/t5/Splunk-Search/Multiple-Searches-with-BRO-LOGS-Trying-to-correlate-certificate/m-p/337197#M162464 baegoon 2020-09-29T18:21:49Z