Hi Steve,
Thanks for clarifying on the installation part for the App. Appreciate it.
I looked into the props file that the app uses, and noted that it uses INDEXED_EXTRACTIONS attribute to extract the fields from the structured input (as Bro log files are tsv formatted).
I was reading about the structured logs parsing in Splunk and came across this (documentation of Splunk):
Caveats
Splunk Enterprise does not parse structured data that has been forwarded to an indexer
When you forward structured data to an indexer, Splunk Enterprise does not parse this data once it arrives at the indexer, even if you have configured props.conf on that indexer with INDEXED_EXTRACTIONS. Forwarded data skips the following queues on the indexer, which precludes any parsing of that data on the indexer:
parsing , aggregation, typing
The forwarded data must arrive at the indexer already parsed. To achieve this, you must also set up props.conf on the forwarder that sends the data. This includes configuration of INDEXED_EXTRACTIONS and any other parsing, filtering, anonymizing, and routing rules. Universal forwarders are capable of performing these tasks solely for structured data. See "Forward data extracted from header files" earlier in this topic.
Hence, I haven't tried the above configuration you mentioned, but was wondering whether the TA on indexers would be able to work as per intended, since no parsing would be done on indexer for the structured data, as per the Splunk doc.
Also, I am running the current version of Bro, that is v2.4.1, and one of the major changes in Bro logging in this version is that Bro changed some of the field names to include a '.' (for ex: id_orig_h changed to id.orig_h etc), and therefore the current version of TA might not be able to extract out all the fields (specially the fields containing '.') as Splunk doesn't allow '.' as a valid character while naming the extracted fields, hence some changes (i.e renaming of some extracted fields) might need to be in-corporated in props.conf file rather than having the dynamically extracted fields based on the log.
Didn't get time to play around with the tweaking of defaults of the TA, so don't know if that renaming of the INDEX-EXTRACTED fields would work with the current version of TA.
Thanks,
Fatema.
... View more