netflow-indexer icon indicating copy to clipboard operation
netflow-indexer copied to clipboard

Published 20 hours ago verified publisher icon JustinAzoff

Can't interpret JSON output from Bro

Open kraigu opened this issue 10 years ago • 3 comments

Would be nice if it could.

kraigu avatar May 28 '15 12:05 kraigu

Oh.. that is very easy to do actually.. Just need a json version of https://github.com/JustinAzoff/netflow-indexer/blob/master/netflowindexer/bro/indexer.py

could probably have one that works for both.. do the bro json logs contain '.json' in the filename at all? I forget...

But it would basically be

 ip_columns = self.cfg_data["ip_columns"].split(",") #remove int

and then something like

        record = json.loads(line)
        for col in ip_columns:
            add(record[col])

JustinAzoff avatar May 28 '15 14:05 JustinAzoff

Oh, and could probably have a version that uses 'jq' to do the json heavy lifting if parsing all the json in python is too slow.

JustinAzoff avatar May 28 '15 15:05 JustinAzoff

Sorry, missed your reply - no, there's no way to tell based on filename the difference between a JSON and a "regular" ASCII log. I'll try your fix when I get a mo' and send a patch/pull or something.

kraigu avatar Jun 10 '15 22:06 kraigu