Forwarding bro logs to syslog server

1,998 views
Skip to first unread message

ajbur...@gmail.com

unread,
Dec 21, 2016, 11:32:23 AM12/21/16
to security-onion
Hey All,

I'm trying to setup my SO Sensor to forward Bro logs to my external syslog server.

The syslog server is setup to receive data using UDP port 514 without authentication or encryption. Currently my syslog-ng config file looks like the following:

# Send the messages to an other host
#
destination d_net { tcp("172.23.11.140" port(514) log_fifo_size(1000)); };


Is there another way that this should be setup? When I first tried to setup the file I used authentication(off) and it caused the syslog-ng service to not restart.

Any idea's?

Wes

unread,
Dec 21, 2016, 1:18:09 PM12/21/16
to security-onion

Have you tried modifying the following portion as well?

# All messages send to a remote site
#
#log { source(s_syslog); destination(d_net); };

Thanks,
Wes

ajbur...@gmail.com

unread,
Dec 21, 2016, 3:03:14 PM12/21/16
to security-onion
Originally I did not as I didn't know that was required. But it appears it is working now:

cirt@seconion-sensor1:~$ sudo tcpdump -i eth0 dst 172.23.11.140
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:02:01.629702 IP 172.23.25.76.60930 > syslog.XXXX.syslog: SYSLOG authpriv.info, length: 114
20:02:01.630296 IP 172.23.25.76.60930 > syslog.XXXX.syslog: SYSLOG cron.info, length: 150
20:02:01.632710 IP 172.23.25.76.60930 > syslog.XXXX.syslog: SYSLOG authpriv.info, length: 114


Will confirm back once our Splunk team can check the incoming connections on that server.

Thanks Wes!

Mike Eriksson

unread,
Jan 1, 2017, 7:25:44 AM1/1/17
to security-onion

> Will confirm back once our Splunk team can check the incoming connections on that server.
>
> Thanks Wes!

Wes,

I just spotted your post here and after having looked at roughly the same things myself I thought I'd pipe in.

I've found the Bro add-on ( https://splunkbase.splunk.com/app/1617/ ) to work quite well - it saves you quite some time in the Splunk end too.

The way I did it was that I installed the add-on on my Splunk server then the normal forwarder and add-on on the Bro server. To keep things tidy - and easy to test - I created a new index on the Splunk server and made sure that the forwarder/add-on sends the data to that particular index.

Once that was done - magic happened and it was all there and ready to be used.

Might be worth a look?

Cheers, Mike

Austin Burkeen

unread,
Jan 21, 2017, 3:35:17 AM1/21/17
to securit...@googlegroups.com
This is also how we did it.


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/uhNLZCfMKwA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

B Keep

unread,
Jan 22, 2017, 1:20:35 PM1/22/17
to security-onion
On Saturday, January 21, 2017 at 2:35:17 AM UTC-6, Austin Burkeen wrote:
> This is also how we did it.
>
>
>
> On Sun, Jan 1, 2017 at 7:13 AM, Mike Eriksson <mi...@swedishmike.org> wrote:
>
>
> > Will confirm back once our Splunk team can check the incoming connections on that server.
>
> >
>
> > Thanks Wes!
>
>
>
> Wes,
>
>
>
> I just spotted your post here and after having looked at roughly the same things myself I thought I'd pipe in.
>
>
>
> I've found the Bro add-on ( https://splunkbase.splunk.com/app/1617/ ) to work quite well - it saves you quite some time in the Splunk end too.
>
>
>
> The way I did it was that I installed the add-on on my Splunk server then the normal forwarder and add-on on the Bro server. To keep things tidy - and easy to test - I created a new index on the Splunk server and made sure that the forwarder/add-on sends the data to that particular index.
>
>
>
> Once that was done - magic happened and it was all there and ready to be used.
>
>
>
> Might be worth a look?
>
>
>
> Cheers, Mike
>
>
>
>
>
> --
>
> Follow Security Onion on Twitter!
>
> https://twitter.com/securityonion
>
> ---
>
> You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
>
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/uhNLZCfMKwA/unsubscribe.
>
> To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.
>
> To post to this group, send email to securit...@googlegroups.com.

>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.

I send BRO logs to a Graylog instance. I even created a content pack for Graylog that include dashboards etc. for viewing BRO info https://github.com/alias454/graylog-bro-content-pack.

The basics are setting a destination and log sources you are interested in sending elsewhere.

destination d_net { syslog("rsyslog.server.tld" transport(tcp) port(514)); };

log {
source(s_bro_conn);
source(s_bro_http);
source(s_bro_dns);
...
source(s_bro_dnp3);
rewrite(r_from_pipes);
rewrite(r_pipes);
log { filter(f_bro_headers); flags(final); };
log { destination(d_net); };
};

Regards,
Brandon

Reply all
Reply to author
Forward
0 new messages