Parsing BRO logs on the command line

[namobud...@gmail.com]

I was reading through this article:
https://blog.rapid7.com/2016/06/02/working-with-bro-logs-queries-by-example/

It discusses using bro-cut, sed, awk and various other command line tools to parse bro logs. These tools appear to be dependent upon being able to read the headers from *.gz logs. It looks when in the JSON format there are no headers for bro-cut to read.

I'm wondering if with Kibana folks don't do command line stuff with bro as much but if they do I'm wondering if there's some articles on how to use command line tools with the bro logs in JSON format. The NSM dailylogs can be read directly with tshark or wireshark so that's not an issue.

Thanks!

[Wes Lambert]

Hi namobuddhaonion,

One way to read Bro logs in JSON is with the command line tool 'jq':

https://snowcrash.ca/using-jq-with-bro-logs/

or your could try json-cut:

https://github.com/JustinAzoff/json-cut

Alternatively, you could switch back to TSV if you wish:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro#TSV

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.