Hi,
I am a newbie at bro and wanted to change log format of http.log file to json.
Currently I have made changes in ascii.bro and now I am getting all logs format in json but what I have to do if I only want http.log to have that format and others keep default?
Also my log files have got still .log extension, how can I change it o .json?
Thanks,
Regards,
Aneela Safdar
Hello Aneela,
I am a newbie at bro and wanted to change log format of http.log file to
json. Currently I have made changes in ascii.bro and now I am getting
all logs format in json but what I have to do if I only want http.log to
have that format and others keep default?
you can do something like this in bro_init:
local f = Log::get_filter(HTTP::LOG, "default"); # get default filter
f$config = table(["use_json"] = "T"); # set json config option
Log::add_filter(HTTP::LOG, f); # replace default filter
Also my log files have got still .log extension, how can I change it o .json?
You sadly cannot change it for a single log file, just for all of them (by
setting the BRO_LOG_SUFFIX environment variable).
I hope this helps,
Johanna
Alternately, you can just add the following line in a script (to avoid changing base scripts)...
redef LogAscii::use_json = T;
Of course, Johanna's reply still applies since it sounds like you don't want to make that change to all of your logs.
.Seth