[Bro] problem with bro json log format
Frank Meier
franky.meier.1 at gmx.de
Wed Sep 28 01:46:36 PDT 2016
Hi,
On Mon, 26 Sep 2016 13:51:37 +0000
"Azoff, Justin S" <jazoff at illinois.edu> wrote:
> > On Sep 26, 2016, at 9:47 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > So, I am not sure whatgs going on, but when I do:
> >
> > python -m json.tool < $somelog
> >
> > I get
> >
> > Extra data: line 2 column 1 - line 3 column 1 (char 507 - 1011)
> >
> > All I did was turn json format logging on in ascii writer conf. All
> > of my bro logs cant seem to be parsed by json.tool....
>
> json.tool tries to read the entire log file as a single json record
> when it consists of one json record per line.
>
> Use jq instead: https://stedolan.github.io/jq/
>
>
I would propose an alternative sticking to base python:
import json
with open('conn.log') as conn:
for line in conn:
print(json.loads(line))
or bash:
for line in $(cat conn.log); do echo $line | python -m json.tool; done
Franky
More information about the Bro
mailing list