[Bro] Writing logs to both ACII and JSON
gordonjamesr at gmail.com
Mon Jan 9 07:27:31 PST 2017
Apologies in advance if this is an uninformed question - is it possible to
configure Bro to write logs to both ASCII and JSON outputs (in different
directories, preferably)? There's another active thread on the mailing list
at the moment about using multiple logger instances in Bro 2.5 which got me
thinking that maybe this problem could be addressed by running multiple
logger instances - one for ASCII logs, and one for JSON. If I understand
the architecture correctly, I'd love to see a single manager instance
duplicate all the data to send to both logger instances, and have one write
ASCII and one to JSON. Is this a possibility? If so, how would I go about
configuring this? I should note that my bro-knowledge is pretty limited to
loading scripts from git hub and some very basic whitelisting, so
unfortunately I'm not very comfortable modifying or writing bro code.
My organization relies on ASCII logs for plain text retention and all our
normal 'nix plain text searching utilities, but I've been experimenting
with Graylog and importing Bro JSON logs to Graylog is too easy and
flexible for us to find the time to write grok parsers for our ASCII logs.
We're not prepared to not write logs to ASCII in prod, so I'm hopeful that
there's an almost easy way to get logs in both formats. For additional
context we run Bro on Security Onion, and we're currently running 2.4.1 in
prod but plan to upgrade to 2.5 soon. I do have a test environment with
Security Onion and Bro 2.5 available to me.
Any advice / steps on how to achieve this would be much appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro