In BRO 2.5.X there are about 3 or 4 log files that have SSL Certificate information: x509.log, ssl.log, conn.log and dns.log. In simplest process I think I need to either build a series of searches or use multisearch or join in SPL. Infact I would like for it all to be SPL. So not all fields are in all logs so I have to connect field A in log A with field A in log B create a new field B from log A&B and use that in log C to get fields D&E, then create dashboard or I can start off with a table. (Each log is a separate source type)
Some of the fields in BRO that are applicable is uid, fuid, CN, id_resp_h, txhost, rxhost.
Thus.
Can anyone give some guidance on this?