Zeek json log files

slsanna · May 9, 2023, 7:57pm

hello everyone! I read that zeek can also output log files in json format, instead of the standard output format. Can you help me setting this option? Thanks!

Christian · May 9, 2023, 8:09pm

Hi there!

zkg install add-json should do all you need — take a look here: GitHub - J-Gras/add-json: Enables additional JSON-logging for Zeek.

You may need to say zkg install --version master add-json to pull in some recent fixes if you get a message around failing tests, depending on your Zeek version.

For more low-level configuration, you can also simply @load tuning/json-logs, or redef LogAscii::use_json=T.

Hope this helps,
Christian

slsanna · May 9, 2023, 8:24pm

I tried both the zkg install and the low level one but none of them worked. For the low level, should I modify the local.zeek file right?

Christian · May 9, 2023, 8:33pm

For the low level, should I modify the local.zeek file right?

Yeah. If you’re running Zeek via zeekctl, remember to do a zeekctl deploy after making changes.

For basic testing you can also try things like zeek -r some.pcap tuning/json-logs or zeek -r some.pcap LogAscii::use_json=T.

Best,
Christian

slsanna · May 10, 2023, 8:18am

Thank you! I solved it

Topic		Replies	Views
Zeek and json output question Zeek	3	345	May 6, 2022
Set Zeek logs to json format Zeek training	2	515	December 15, 2022
Feature Request: Append Zeek	5	192	May 6, 2022
Try.zeek and local zeek6.0.1 : missing entries Zeek logging	2	239	September 19, 2023
Zeek 3.0.1 release available Zeek	1	111	May 6, 2022

Zeek json log files

Related topics