I used this script:
https://gist.github.com/J-Gras/f9f86828f9e9d9c0b8f0908bc3573bb0
to log simultaneously as JSON and normal Bro TSV.
I’m seeing only a fraction of the total logs being written as JSON – it varies between about 25-40%.
The script looks OK to me. Any ideas what’s wrong? Is there a better way to do dual log streams?
Thanks,
Jay
Hi Jay,
I'm seeing only a fraction of the total logs being written as JSON -- it
varies between about 25-40%.
Do you miss single log lines or complete log files? In case you are
missing single log lines: Is there any pattern (e.g. a certain type of
events is missing or just a subset of logs is affected)?
In case you are running a cluster, it might be interesting to log the
node (see
https://github.com/0xxon/bro-scripts/blob/master/conn-workers.bro).
Best regards,
Jan