[Bro] Writing logs to both ACII and JSON

James Gordon gordonjamesr at gmail.com
Wed Jan 11 17:14:48 PST 2017 

Looks like I was wrong about this being a 'standard' config - I fired this
script up on a new VM and it worked with no issues. I pulled my local.bro
off one of the machines I was testing with earlier and I had the SMB
analyzer enabled. I enabled SMB on the new VM, added your lines from your
last post and I have the following entries in reporter.log:

0.000000 Reporter::ERROR Path missing for SMB::MAPPING_LOG
/usr/local/bro/share/bro/test/./add-json.bro,
line 35

0.000000 Reporter::ERROR Path missing for SMB::CMD_LOG
/usr/local/bro/share/bro/test/./add-json.bro,
line 35

0.000000 Reporter::ERROR Path missing for SMB::FILES_LOG
/usr/local/bro/share/bro/test/./add-json.bro,
line 35

Any ideas on how to fix this (preferably), or hard exclude the SMB files
that cause issues?

I ran with SMB disabled for about half an hour on a *very* slow network and
everything worked as expected. Threw some test pcaps that I pulled off a
Security Onion machine and those also ran well and logged as expected.

Thanks!

James Gordon

On Wed, Jan 11, 2017 at 6:22 PM, Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:

> > When I run bro against a pcap, I get the following error:
> > "expression error in /opt/bro/share/bro/test/./add-json.bro, line 34:
> field
> > value missing [Log::filter$path]"
>
> I've just tested the script using 2.4.1 and 2.5 on try.bro.org
> (http://try.bro.org/#/trybro/saved/115989) and locally using 2.5 with a
> different path for JSON-logs. Unfortunately I am unable to reproduce
> this error.
>
> Maybe we can shed some light on this if we know which log doesn't
> provide a path. Can you try to replace line 34 with:
>
> if ( filter?$path )
>     filter$path = string_cat(path_json, filter$path, "-json");
> else
>     Reporter::error(fmt("Path missing for %s", id));
>
> That should provide some hint on which logs don't define a filter path.
> If you can share your test pcap that might be of interest, too. One
> thing I could imagine would be some kind of timing issue. Maybe playing
> with the events &priority has influence on your results.
>
> Jan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170111/b4d4584e/attachment.html

More information about the Bro mailing list