I have got a project to perform complex event processing of bro logs in order to detect any security lags or attacks and so. I have done initial survey and find out that bro generates various log files and I can make WSO2 CEP to take those files and write Siddhi queries for event processing. As event receiver of WSO2 CEP takes xml, json or text as message format, have I to change format of bro log files or they can work as it is? As I didn't happen to find any sample of WSO2CEP taking standard log files as event receiver?
Asked
Active
Viewed 81 times
0
2 Answers
1
To achieve this you can use CEP file-tail event receiver and then use RegEx to extract the details from the log message, similar to the sample provided here (Sample Number 0022 in WSO2CEP 4.1).
Alternatively you can also write a client to extract the log and send it as a XML or JSON event to CEP in any transport you prefer.
suho
- 912
- 6
- 12
0
Fortunately bro support json format for log files.
I just modified some default options in ascii.bro file like
# to use json instead of `tsv` for all log files. It was F bydefault
const use_json = T &redef;
# to display timestamps in a standard format
const json_timestamps:JSON::TimestampFormat = JSON::TS_ISO8601 &redef;
And now I am getting all logs in required format.
aneela
- 1,457
- 3
- 24
- 45