[Bro] Question : How can I change a particular log file format?
Johanna Amann
johanna at icir.org
Fri Apr 1 01:59:10 PDT 2016
Hello Aneela,
On Sun, Mar 27, 2016 at 08:56:12AM +0000, Aneela Safdar wrote:
> I am a newbie at bro and wanted to change log format of http.log file to
> json. Currently I have made changes in ascii.bro and now I am getting
> all logs format in json but what I have to do if I only want http.log to
> have that format and others keep default?
you can do something like this in bro_init:
local f = Log::get_filter(HTTP::LOG, "default"); # get default filter
f$config = table(["use_json"] = "T"); # set json config option
Log::add_filter(HTTP::LOG, f); # replace default filter
> Also my log files have got still .log extension, how can I change it o .json?
You sadly cannot change it for a single log file, just for all of them (by
setting the BRO_LOG_SUFFIX environment variable).
I hope this helps,
Johanna
More information about the Bro
mailing list