Last active
February 6, 2020 16:54
-
-
Save J-Gras/f9f86828f9e9d9c0b8f0908bc3573bb0 to your computer and use it in GitHub Desktop.
Additional JSON logging for Bro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##! Additional JSON-logging for Bro. | |
module Log; | |
export { | |
## Enables JSON-logfiles for all active streams | |
const enable_all_json = T &redef; | |
## Streams not to generate JSON-logfiles for | |
const exclude_json: set[Log::ID] = { } &redef; | |
## Streams to generate JSON-logfiles for | |
const include_json: set[Log::ID] = { } &redef; | |
## Path to the additional JSON-logfiles | |
const path_json = "" &redef; | |
## Rotation interval for JSON-logfiles | |
const interv_json = default_rotation_interval &redef; | |
## Format of timestamps for JSON-logfiles. | |
## See: :bro:see:`LogAscii::json_timestamps` | |
const timestamps_json = "JSON::TS_MILLIS" &redef; | |
} | |
# Wrapper for path_func implementations, appending "-json" | |
function json_path_func(id: Log::ID, path: string, rec: any): string | |
{ | |
local filter = Log::get_filter(id, "default"); | |
if ( /-json/ in path ) | |
path = path[:-5]; | |
local new_path = filter$path_func(id, path, rec); | |
return string_cat(new_path, "-json"); | |
} | |
event bro_init() &priority=-3 | |
{ | |
const config_json = table( | |
["use_json"] = "T", | |
["json_timestamps"] = timestamps_json); | |
# Add filter for JSON output | |
for ( id in Log::active_streams ) | |
{ | |
if ( (enable_all_json || (id in include_json)) && (id !in exclude_json) ) | |
{ | |
local filter = copy(Log::get_filter(id, "default")); | |
filter$name = "default_json"; | |
filter$writer = Log::WRITER_ASCII; | |
if ( filter?$path ) | |
filter$path = string_cat(path_json, filter$path, "-json"); | |
if ( filter?$path_func ) | |
filter$path_func = json_path_func; | |
filter$config = config_json; | |
filter$interv = interv_json; | |
Log::add_filter(id, filter); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The script is available as package for bro-pkg and can be installed using
bro-pkg install add-json
. In case of further development, updates will be committed to the packages repository at https://github.com/J-Gras/add-json.