JSON log format support

[CyberTaoFlow]

Any plans to add support for Bro's JSON ASCII output?

[hashtagcyber]

That's actually next on my todo list. I'm assuming you're coming from security onion? IF this is purely a dev instance that you created just to try Bropy, you can disable the Bro JSON logging script to revert to the old log format... There should be a line in /opt/bro/share/bro/site/local.bro that you can comment out just for testing.

On Tue, Apr 10, 2018 at 5:38 PM, Psipher Diaz [email protected] wrote:

Any plans to add support for Bro's JSON ASCII output?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/hashtagcyber/bropy/issues/11, or mute the thread https://github.com/notifications/unsubscribe-auth/AM1EBVb4GiWCiX73TFggKVWYR_yIRH2jks5tnVBogaJpZM4TPMz8 .

[CyberTaoFlow]

Actually not running security onion but our architecture is similiar to their newer ELK based architecture. Basically we render logs in JSON to avoid having to define TSV fields in logstash filters for ingestion into elasticsearch.

I am not a developer however I have had success extending others codes and do have access to a talented python dev so I will try my hand at adding JSON parsing support.

BTW really felt inspired by http://www.chironcommercial.com/blog/infosec-workforce/its-time-to-step-up-your-infosec-game/ and totally spurred me to get a monthly workshop going in my org so thanks for that!

[Craig9080]

I am very interested in JSON support as well. Looking forward to the update!