[Bro] Writing logs to both ACII and JSON

James Gordon gordonjamesr at gmail.com
Thu Jan 12 10:07:24 PST 2017


Jan + all,

Thanks for your help on all this! The script is working great with the
exclusion of SMB logs. Apologies for all the confusion on my side - I'm not
much of a programmer, but use Bro daily as a vital data source at my job.
Anything to enhance the data we get is always good, and JSON makes it much
easier to ingest into other sources.

I've already come across another Bro script that the add-json.bro script
doesn't seem to agree with, but will unload that script as it doesn't
provide much value for my org. I look forward to seeing an updated version
that can handle these stray log files though!

Thanks again!

James Gordon

On Thu, Jan 12, 2017 at 6:31 AM, Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:

> >> Using the SMB-Analyzer I was able to reproduce the issue: The
> >> SMB-Analyzer does not set path, which is indeed optional but used for
> >> all the other logs by convention.
> >
> > Yup, you are right. This looks like an oversight, the path should have
> > been set for all the create_stream calls. I will fix this in master in a
> > few minutes - thanks for finding this :)
>
> Thanks a lot for the quick fix! This way the handling of streams is more
> consistent across the streams. I will also update my script once I find
> some time for testing, as not specifying the path is generally valid
> (cf.
> https://www.bro.org/sphinx/scripts/base/frameworks/
> logging/main.bro.html#type-Log::Filter).
>
> Jan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170112/a0db4c0a/attachment-0001.html 


More information about the Bro mailing list