[Bro] problem with bro json log format

erik clark philosnef at gmail.com
Mon Sep 26 06:57:47 PDT 2016


Yep, I had just gone down that route. :) I had mistakenly believed that
json.tool did more than one record at once. Thanks for the fast response
Justin!

On Mon, Sep 26, 2016 at 9:51 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> > On Sep 26, 2016, at 9:47 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > So, I am not sure whatgs going on, but when I do:
> >
> > python -m json.tool < $somelog
> >
> > I get
> >
> > Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011)
> >
> > All I did was turn json format logging on in ascii writer conf. All of
> my bro logs cant seem to be parsed by json.tool....
>
> json.tool tries to read the entire log file as a single json record when
> it consists of one json record per line.
>
> Use jq instead: https://stedolan.github.io/jq/
>
>
>
> --
> - Justin Azoff
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160926/22027622/attachment.html 


More information about the Bro mailing list