Hey everyone!
We’re working on analyzing semi-structured logs (such as syslog, Windows events, etc.), and I’m trying to figure out if Bro/Zeek is the right tool for the job.
Bro/Zeek has great support for parsing syslog messages into its parts1, but we wanna take it one step further, applying some NLP to the message part of the syslog entry, such as named entity extraction.
What’s the best way to integrate something like this?
- Forking the syslog script from bro/scripts/base/protocols/syslog 2, and using Zeek’s FFI to integrate some C/C++ code?
- Use whatever NLP tools I prefer, and integrate the Brocolli Client Communications Library 3 to send events to Bro/Zeek?
Maybe there is other, better ways to do this. Any advice on this matter would be appreciated!
Thank you!