search

JustinAzoff / netflow-indexer

A program that uses xapian to index the flat file databases used by nfdump or flow-tools
http://justinazoff.github.com/netflow-indexer/
36 stars 4 forks source link

Can't interpret JSON output from Bro #6

Open kraigu opened 9 years ago

kraigu commented 9 years ago

Would be nice if it could.

JustinAzoff commented 9 years ago

Oh.. that is very easy to do actually.. Just need a json version of https://github.com/JustinAzoff/netflow-indexer/blob/master/netflowindexer/bro/indexer.py

could probably have one that works for both.. do the bro json logs contain '.json' in the filename at all? I forget...

But it would basically be

 ip_columns = self.cfg_data["ip_columns"].split(",") #remove int

and then something like

        record = json.loads(line)
        for col in ip_columns:
            add(record[col])
JustinAzoff commented 9 years ago

Oh, and could probably have a version that uses 'jq' to do the json heavy lifting if parsing all the json in python is too slow.

kraigu commented 9 years ago

Sorry, missed your reply - no, there's no way to tell based on filename the difference between a JSON and a "regular" ASCII log. I'll try your fix when I get a mo' and send a patch/pull or something.