[Bro] ElasticSearch plugin
Azoff, Justin S
jazoff at illinois.edu
Tue Jun 14 07:21:20 PDT 2016
> On Jun 14, 2016, at 9:04 AM, Vlad Grigorescu <vladg at illinois.edu> wrote:
>
> I think the better solution would simply be to make the record separator
> redef-able in the formatter. I can *maybe* see the argument for using
> '.' instead of '$' in the ASCII logs, but since the other separators are
> user-definable, I think this one should be as well.
I know we talked about this at one point, I think the real fix is to log nested records natively in json.
The ascii writer needs to expand nested fields, but the json writer doesn't, so it can natively log a conn record as
{id: {orig_h: "1.2.3.4", orig_h: 123, resp_h: "5.6.7.8", resp_p: 456}, ... }
--
- Justin Azoff
More information about the Bro
mailing list