[Bro] JSON logging of datasource or 'path' value

Johanna Amann johanna at icir.org
Tue Jun 6 09:27:18 PDT 2017

Hi Chris,

> I'm experimenting with the JSON output and wanting to manually feed logs to
> logstash via 'cat | nc'.  Is it possible to have the JSON output write the
> datatype or 'path' value similar to what is wrtiten as a metadata field at
> the top of ascii logs, but include it in each record for easy parsing in
> Logstash?

yes, this is possible using log extension functions, more specifically by
redefining Log::default_ext_func

Bro actually contains a testcase that has a script that basically does
exactly what you want:

That script adds three fields to each logfile (_write_ts, _stream, and
_system_name). For your case, you only want _stream, but apart from that
this approach should directly work for you.

I hope this helps,

More information about the Bro mailing list