If you’re running a dedicated Bro IDS sensor and want to get the Bro events into Splunk, you can do so very easily using the Security Onion for Splunk app along with the Security Onion for Splunk Server/Sensor addon. How easy?
- Install Security Onion for Splunk on your Splunk server.
- Install Splunk’s universal forwarder on your Bro sensor.
- Install the Server/Sensor addon on your Bro sensor. Follow the installation instructions in the link and when you edit the inputs.conf file disable all the non-Bro related sourcetypes and change the monitor paths to your Bro log path.
You’ll miss out on a few views here and there, but the Security Onion for Splunk app is built around Bro IDS logs. I promise you can get a lot of mileage out of the app with a Bro only deployment. Just watch that Splunk licensing volume!
Now go get splunky, Bro.