[Bro] Bro logs from JSON to TSV

ElBadry Shaker, Moustafa moustafa.elbadry at oregonstate.edu
Tue Jan 9 08:38:21 PST 2018


Great. Thanks for sharing this. I really appreciate it!

Moustafa

On 1/8/18, 2:45 PM, "Kinkead, Tanner" <Tanner.Kinkead at franklintempleton.com> wrote:

    Look at add-JSON:
    
    https://gist.github.com/J-Gras/f9f86828f9e9d9c0b8f0908bc3573bb0
    
    That will log JSON output to the path you define in path_json, and should retain the standard logging as well.  Add-JSON is also available as a bro package.
    
    I've been able to get the log rotation to work for this script, though.  I ended up creating a cron job that stops bro once a day, purges the JSON logs, and restarts.
    
    -----Original Message-----
    From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of ElBadry Shaker, Moustafa
    Sent: Monday, January 8, 2018 11:27 AM
    To: Azoff, Justin S <jazoff at illinois.edu>; bro at bro.org
    Subject: Re: [Bro] Bro logs from JSON to TSV
    
    Hello, 
    
    I have a follow up question on this. Justin, you mentioned that I could tell bro to write out the logs in both formats (TSV and JSON) at the same time. How can I do this? And can I have the TSV logs saved in one directory and the JSON logs saved in another directory? 
    
    Is the ascii.bro file located at /usr/local/bro/share/bro/base/frameworks/logging/writers/ the right file where we can configure bro to write in two different formats? 
    
    Thanks a lot for your help. I really appreciate it!
    
    Moustafa
    
    
    On 1/5/18, 8:34 AM, "ElBadry Shaker, Moustafa" <moustafa.elbadry at oregonstate.edu> wrote:
    
        Great. Thanks Justin for sharing this. Definitely helps us a lot.
        
        Moustafa
        
        On 1/4/18, 12:36 PM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:
        
            
            > On Jan 3, 2018, at 4:38 PM, ElBadry Shaker, Moustafa <moustafa.elbadry at oregonstate.edu> wrote:
            > 
            > I want the exact TSV format. 
            > 
            > We currently have our Bro cluster writing logs in JSON. There are couple of network traffic analytics tools like RITA (Real Intelligence Threat Analytics) and some AWK scripts that we want to use. The problem is that the tools we want to use work only with Bro’s default TSV format. 
            > 
            > Moustafa   
            
            Ah, I see now.  You have a few of options here.
            
            You could just tell bro to write out the logs in both formats at the same time.  For older logs there is only a script for bro that can re-log to json, but not the other way, most people have the opposite problem.
            
            There is an open issue for RITA to support json: https://github.com/ocmdev/rita/issues/146
            
            A tool to convert the json logs back into the TSV format could be written, but ultimately that would be a waste of time.  Better to update RITA to support json instead of writing more tools to work with the tsv format that only bro uses.
            
            For awk stuff you can swap out bro-cut for jq or https://github.com/JustinAzoff/json-cut
            
            json-cut it doesn't support all the options that bro-cut supports and may be a bit buggy, but it's easier to extract a few fields from a json log as TSV and 2x faster than jq.  If I can find a nice, small json library for C we can probably update bro-cut to natively support the json logs.
            
            For now, to extract note and msg from a stream of notice logs with bro-cut and json-cut you just do
            
                zcat notice.* | bro-cut note msg | awk ...
                zcat notice.* | json-cut note msg | awk ...
            
            For jq you use something like
            
                zcat notice.* | jq -r '[.note, .msg]|@tsv' | awk ...
            
            If the awk scripts are hardcoding top level field numbers like $3 and $5 instead of using bro-cut... they should not do that :-)
            
            
            — 
            Justin Azoff
            
        
        
    
    
    _______________________________________________
    Bro mailing list
    bro at bro-ids.org
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
    Notice:  All email and instant messages (including attachments) sent to
    or from Franklin Templeton Investments (FTI) personnel may be retained,
    monitored and/or reviewed by FTI and its agents, or authorized
    law enforcement personnel, without further notice or consent.
    .
    




More information about the Bro mailing list