[Bro-Dev] best way to apply NLP to syslog entries?

Karl Pietrzak karl.pietrzak at twosixlabs.com
Thu Nov 8 14:29:42 PST 2018


Hey everyone!

We're working on analyzing semi-structured logs (such as syslog, Windows
events, etc.), and I'm trying to figure out if Bro/Zeek is the right tool
for the job.

Bro/Zeek has great support for parsing syslog messages into its parts
<https://www.bro.org/sphinx/scripts/base/protocols/syslog/main.bro.html>[1],
but we wanna take it one step further, applying some NLP to the message
part of the syslog entry, such as named entity extraction.

What's the best way to integrate something like this?

   1. Forking the syslog script from bro/scripts/base/protocols/syslog [2],
   and using Zeek's FFI to integrate some C/C++ code?
   2. Use whatever NLP tools I prefer, and integrate the Brocolli Client
   Communications Library
   <https://www.bro.org/sphinx/components/broccoli/broccoli-manual.html> [3]
   to send events to Bro/Zeek?

Maybe there is other, better ways to do this.  Any advice on this matter
would be appreciated!

Thank you!

[1]: https://www.bro.org/sphinx/scripts/base/protocols/syslog/main.bro.html
[2]: https://github.com/bro/bro/tree/master/scripts/base/protocols/syslog
[3]: https://www.bro.org/sphinx/components/broccoli/broccoli-manual.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20181108/534b2615/attachment.html 


More information about the bro-dev mailing list