add-json

Add-JSON

This package provides additional JSON-logging for Bro. By default a JSON log is enabled for every logging stream (original filename suffixed by -json). For further configuration, the following options are available:

OptionDefault ValueDescription
enable_all_json: boolTEnables JSON-logfiles for all active streams
exclude_json: set[Log::ID]{ }Streams not to generate JSON-logfiles for
include_json: set[Log::ID]{ }Streams to generate JSON-logfiles for
path_json: stringdefault pathPath to the additional JSON-logfiles
interv_json: intervaldefault intervalRotation interval for JSON-logfiles
timestamps_json: string"JSON::TS_MILLIS"Format of timestamps for JSON-logfiles.
scope_sep_json: stringdefault separatorSeparator for log field scopes.

If, for example, your postprocessing of the files cannot handle dots in field names, you can add the following to you local.bro to replace them with underscores:

redef Log::scope_sep_json = "_";

For more details on the underlying filter options see: https://www.bro.org/sphinx/scripts/base/frameworks/logging/main.bro.html#type-Log::Filter

Note: The script has been tested with Bro version 2.5.

Package Version :