All Apps and Add-ons

Does Splunk Add-on for Zeek aka Bro work with the latest versions like 3.2.2????

Glasses
Contributor

I know the documentation for Zeek add-on says there is support for specific versions 

Zeek aka Bro versions 2.1, 2.2, 2.3, 2.4, 2.5

But has anyone used it with Zeek version 3.+??? 

OR does anyone have a suggestion to onboard Zeek 3+ ???  

Is sending as json format the best option?

TY!

Labels (1)
Tags (3)
0 Karma
1 Solution

kjstogn
Engager

Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1

No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.

I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction. 

I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601

If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z

View solution in original post

0 Karma

kjstogn
Engager

Currently using it with Zeek version 3.0.8 on Security Onion 16.04.7.1

No issues with with JSON format. The add-on itself is rather lacking in the sourcetypes and covers just the main ones like conn, dns, ssl... definitely add the ones you would like to parse a little more.

I personally like the JSON format more than TSV but it does support that fine as well with its sourcetype autotyping/dynamic extraction. 

I would beware of the TIME_FORMAT in props.conf as Zeek by default uses epoch but Security Onion has been configured to use ISO8601

If using ISO8601 substitute TIME_FORMAT = %s.%6N for TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6%z

View solution in original post

0 Karma

Glasses
Contributor

Thanks for the reply.

We could not get the add-on to work with our 3.x version of Zeek for some reason.  Maybe we will try again.  Json format is working fine for us as well. 

We did see a strange Splunk Time Stamp issue for specific Zeek sourcetypes where Splunk shuffled some of the current events (with recent epoch time) back in time, giving the events a time stamp of years earlier.  We fixed it with a couple of sedcmd entries in  props.conf,  seems to be ok now.

 

 

0 Karma