-
-
Save jayswan/805e7801c05a14f1812777a08f4006af to your computer and use it in GitHub Desktop.
Additional JSON logging for Bro.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add additional JSON logging | |
| module Log; | |
| export { | |
| ## Enables JSON-logfiles for all active streams | |
| const enable_all_json = T &redef; | |
| ## Streams not to generate JSON-logfiles for | |
| const exclude_json: set[Log::ID] = { } &redef; | |
| ## Streams to generate JSON-logfiles for | |
| const include_json: set[Log::ID] = { } &redef; | |
| ## Path to the additional JSON-logfiles | |
| const path_json = "" &redef; | |
| ## Rotation interval for JSON-logfiles | |
| const interv_json = default_rotation_interval &redef; | |
| ## Format of timestamps for JSON-logfiles. | |
| ## See: :bro:see:`LogAscii::json_timestamps` | |
| const timestamps_json = "JSON::TS_MILLIS" &redef; | |
| } | |
| event bro_init() | |
| { | |
| const config_json = table( | |
| ["use_json"] = "T", | |
| ["json_timestamps"] = timestamps_json); | |
| # Add filter for JSON output | |
| for ( id in Log::active_streams ) | |
| { | |
| if ( (enable_all_json || (id in include_json)) && (id !in exclude_json) ) | |
| { | |
| local filter = Log::get_filter(id, "default"); | |
| filter$name = string_cat(filter$name, "_json"); | |
| filter$path = string_cat(path_json, filter$path, "-json"); | |
| filter$config = config_json; | |
| filter$interv = interv_json; | |
| Log::add_filter(id, filter); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment