Writing JSON logs

Bro,

I made a patch for the Ascii log writer to write the logs in JSON format. This was thanks to the existing code from the ElasticSearch writer and copy/paste skill.

But when I try to enable the writer at runtime there are errors. Why ?

See patch. ( cd bro-2.2; patch -p1 < bro–write_json.patch )

Thanks,

–TC

event bro_init()
{
        LogAscii::write_json=T;
}

results in

# bin/broctl check
manager failed.
   error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
proxy-1 failed.
   error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-1 failed.
   error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)
worker-2 failed.
   error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7:
const is not a modifiable lvalue (LogAscii::write_json)



bro–write_json.patch (8.4 KB)

It’s a “const” so you can’t change the value at run-time. Use `redef` to assign a new value at parse-time.

- Jon

Did you read the patch ? &redef is included. Maybe I misunderstand you.

--TC

The &redef attribute still doesn’t permit run-time modification of a const, which is what you did in the bro_init handler. Instead what you need is to use the `redef` statement to assign a value at parse time (outside an event handler):

  redef LogAscii::write_json=T;

- Jon

Thanks.

–TC

Did this patch ever get pulled into Bro? I am just curious if there is now support for logging in JSON.

Thanks,

–Jason

That patch had some structural problems. I finally went back and restructured the code in at a different layer in Bro. It should be getting merged into master soon. You'll be able to write out all of your logs in JSON format with:

@load tuning/json-logs

I went ahead and made some additional changes to the ascii writer so that most of the options that once were only globally available (like LogAscii::separator) are now available per logging filter too. This make it possible to write a script that outputs a single log in CSV format instead of tab separated without impacting all of a user's other logs.

Anyway, not in master yet, but it should be there soon and it will be in 2.3.

  .Seth

Any chance we can get the InputReader to also support CSV? If it does already, my apologies … I’d just not figured out how to make that work yet.

-phil

It already does. As long as you don't feed crazy CSV into it. :slight_smile:

Basically what it supports is reading in the same output that the Ascii writer writes out (which can use commas for field separators). Could you maybe give an example of what you'd like to be able to read in?

  .Seth