[Bro] JSON logging of datasource or 'path' value
Johanna Amann
johanna at icir.org
Tue Jun 6 09:27:18 PDT 2017
Hi Chris,
> I'm experimenting with the JSON output and wanting to manually feed logs to
> logstash via 'cat | nc'. Is it possible to have the JSON output write the
> datatype or 'path' value similar to what is wrtiten as a metadata field at
> the top of ascii logs, but include it in each record for easy parsing in
> Logstash?
yes, this is possible using log extension functions, more specifically by
redefining Log::default_ext_func
(https://www.bro.org/sphinx/scripts/base/frameworks/logging/main.bro.html#id-Log::default_ext_func).
Bro actually contains a testcase that has a script that basically does
exactly what you want:
https://github.com/bro/bro/blob/master/testing/btest/scripts/base/frameworks/logging/field-extension.bro
That script adds three fields to each logfile (_write_ts, _stream, and
_system_name). For your case, you only want _stream, but apart from that
this approach should directly work for you.
I hope this helps,
Johanna
More information about the Bro
mailing list