[Bro] Writing logs to both ACII and JSON
jan.grashoefer at gmail.com
Wed Jan 11 15:22:08 PST 2017
> When I run bro against a pcap, I get the following error:
> "expression error in /opt/bro/share/bro/test/./add-json.bro, line 34: field
> value missing [Log::filter$path]"
I've just tested the script using 2.4.1 and 2.5 on try.bro.org
(http://try.bro.org/#/trybro/saved/115989) and locally using 2.5 with a
different path for JSON-logs. Unfortunately I am unable to reproduce
Maybe we can shed some light on this if we know which log doesn't
provide a path. Can you try to replace line 34 with:
if ( filter?$path )
filter$path = string_cat(path_json, filter$path, "-json");
Reporter::error(fmt("Path missing for %s", id));
That should provide some hint on which logs don't define a filter path.
If you can share your test pcap that might be of interest, too. One
thing I could imagine would be some kind of timing issue. Maybe playing
with the events &priority has influence on your results.
More information about the Bro