[Bro] Writing logs to both ACII and JSON

Azoff, Justin S jazoff at illinois.edu
Wed Jan 11 15:12:54 PST 2017 

> When I run bro against a pcap, I get the following error:
> "expression error in /opt/bro/share/bro/test/./add-json.bro, line 34: field value missing [Log::filter$path]"
> 
> It looks like that line refers back to the json path. I have the json path defined as: const path_json = "/nsm/bro/logs/json/" &redef; - is this the correct way to define the log path?
> 

No.. as the error message says there is a problem with filter$path being missing, not path_json.

> This script is exactly the functionality I need, I just can't seem to get it working correctly. I don't begin to understand why I get different results every time I run the same pcap through Bro. 

Because the script does this:

	for ( id in Log::active_streams )
		{
		if ( (enable_all_json || (id in include_json)) && (id !in exclude_json) )
			{
			local filter = Log::get_filter(id, "default");
			filter$name = string_cat(filter$name, "_json");
			filter$path = string_cat(path_json, filter$path, "-json");
			filter$config = config_json;
			filter$interv = interv_json;
			Log::add_filter(id, filter);
			}
		}

and Log::active_streams is a hash table populated at startup and the iteration order is random:

$ cat b.bro ;echo one:;bro b.bro |head; echo two:; bro b.bro |head
event bro_init() {
    for ( id in Log::active_streams )
        print id;
}
one:
Weird::LOG
PacketFilter::LOG
Conn::LOG
NetControl::SHUNT
DNS::LOG
FTP::LOG
SIP::LOG
SNMP::LOG
Syslog::LOG
DPD::LOG
two:
DPD::LOG
Software::LOG
IRC::LOG
RFB::LOG
SSL::LOG
KRB::LOG
SOCKS::LOG
Syslog::LOG
Log::UNKNOWN
DHCP::LOG


It's failing on one of your log files because filter$path is not set. Once that happens the event aborts and everything after that does not get json added.

The loop needs to check filter?$path before trying to use it.

You also probably have something broken (or at least weird) in your configuration because this error does not occur on a stock 2.5 config, so it's probably useful to figure out which of your logs has no path for some reason.


-- 
- Justin Azoff

More information about the Bro mailing list