Splunk Enterprise Security

Whats the best way to get bro logs from an IDS to Splunk Enterprise Security thats running on a seperate server?


Right now we have another instance of splunk and bro addon running on the IDS, the bro index is then forwarded to the main Splunk/ES. Assume we need another bro addon the main server (the messages are still ugly). Is this correct? If so how do we set an addon to monitor an index? Hope we're making this harder than it needs to be..

0 Karma

Splunk Employee
Splunk Employee

Hi ssackrider,

Not sure what you mean by main Splunk/ES, but if this is your indexer, and you have already forwarded Bro logs to this server using a heavy forwarder, then you do not need to install another Bro Add-on on the indexer. However, if you also use a search head, you must also install the Bro Add-on on the search head in order to properly perform searches on indexed events.
In short, in a distributed environment, you must install the Bro Add-on on the search head, and either indexer or the heavy forwarder.
For more installation info, please refer to this section:


Hope it helps, thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...