Zeek and json output question

Allen_Brian · January 23, 2020, 9:35pm

Hi All-

I want to run a test, but I don’t want to use all my zeek cluster data. I do know how to output all my zeek logs in JSON output, but how can I output just a single log to JSON output (like the ftp.log)?

What I’m looking for: All the zeek logs output like normal (tab separated), PLUS the FTP log is output in JSON format as well. Can I break one out or is it all or nothing?

Thank you,

-Brian

JustinAzoff · January 23, 2020, 10:47pm

Yep! Give this a try

event zeek_init()
{
Log::add_filter(FTP::LOG, [
$name = “ftp-json”,
$path = “ftp_json”,
$config = table([“use_json”] = “T”)
]);
}

This package does this in a bit more advanced way:

https://github.com/J-Gras/add-json

Jan · January 24, 2020, 9:34am

If you want to use that package, the following enables JSON for FTP only:

redef Log::enable_all_json = F;
redef Log::include_json += {FTP::LOG};

Jan

Topic		Replies	Views
Zeek json log files Zeek	4	266	May 10, 2023
Json output Zeek	3	95	May 6, 2022
Log files Zeek	1	87	May 6, 2022
Getting Directory of Logs Output Zeek	2	158	September 25, 2023
Logging Issue after upgrade to LTS 5.0.0 Zeek	19	1063	May 9, 2023

Zeek and json output question

Related Topics