Zeek and json output question

Allen_Brian · January 23, 2020, 9:35pm

Hi All-

I want to run a test, but I don’t want to use all my zeek cluster data. I do know how to output all my zeek logs in JSON output, but how can I output just a single log to JSON output (like the ftp.log)?

What I’m looking for: All the zeek logs output like normal (tab separated), PLUS the FTP log is output in JSON format as well. Can I break one out or is it all or nothing?

Thank you,

-Brian

JustinAzoff · January 23, 2020, 10:47pm

Yep! Give this a try

event zeek_init()
{
Log::add_filter(FTP::LOG, [
$name = “ftp-json”,
$path = “ftp_json”,
$config = table([“use_json”] = “T”)
]);
}

This package does this in a bit more advanced way:

https://github.com/J-Gras/add-json

Jan · January 24, 2020, 9:34am

If you want to use that package, the following enables JSON for FTP only:

redef Log::enable_all_json = F;
redef Log::include_json += {FTP::LOG};

Jan

Topic		Replies	Views
Zeek json log files Zeek	4	619	May 10, 2023
Set Zeek logs to json format Zeek training	2	467	December 15, 2022
Send logs from zeek to redis i.e. a Redis log writer Zeek	2	245	April 13, 2023
Want output all http logs Zeek development	3	375	June 26, 2023
Json output Zeek	3	119	May 6, 2022

Zeek and json output question

Related topics