Log analysis of ndjson file

[Naser Aslam]

Hi great support team!

I want to scan network traffic by using packetbeat utility, I provides its log in a file in ndjson format, I know whazuh support json but does it support ndjson too?

Regards

Hafiz Naser Aslam

Research Officer in "High Performance Computing & Networking Lab"

Al-Khawarizmi Institute Of Computer Science (KICS)

University Of Engineering and Technology (UET), Lahore

[Dario Menten]

Hello Naser,
I hope you are fine.
As far as I understand, the differences between NDJSON and JSON, is the way they manage the arrays, while a JSON can be:

[
  {"id":1,"name":"Alice"},
  {"id":2,"name":"Bob"},
  {"id":3,"name":"Carol"}
]

An NDJSON can be:

{"id":1,"name":"Alice"}
{"id":2,"name":"Bob"}
{"id":3,"name":"Carol"}

Having in mind, that a log file in JSON will be a collection of JSON one per line, in this case, it should be precisely the same, for Log collection, the Wazuh Agent/Manager will read the logline by line and decode it with the JSON decoder if the line has the correct format.
I hope this can answer your question.

​