Splunk Enterprise Security

Whats the best way to get bro logs from an IDS to Splunk Enterprise Security thats running on a seperate server?


Right now we have another instance of splunk and bro addon running on the IDS, the bro index is then forwarded to the main Splunk/ES. Assume we need another bro addon the main server (the messages are still ugly). Is this correct? If so how do we set an addon to monitor an index? Hope we're making this harder than it needs to be..

0 Karma

Splunk Employee
Splunk Employee

Hi ssackrider,

Not sure what you mean by main Splunk/ES, but if this is your indexer, and you have already forwarded Bro logs to this server using a heavy forwarder, then you do not need to install another Bro Add-on on the indexer. However, if you also use a search head, you must also install the Bro Add-on on the search head in order to properly perform searches on indexed events.
In short, in a distributed environment, you must install the Bro Add-on on the search head, and either indexer or the heavy forwarder.
For more installation info, please refer to this section:


Hope it helps, thanks!

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...