Bro::Lognorm
This plugin aims at integrating liblognorm into Bro and is under development.
Installation
The plugin is based on liblognorm, which requires libfastjson. Make sure both libraries are available including their headers, which are required to build this plugin.
Bro Package Manager
The plugin is available as package for the Bro Package Manager and can be installed using the following command:
bro-pkg install bro-lognorm
To install uncompiled plugins, Bro's source code must be available to the package manager (see package manager's documentation for more information).
Manual Install
The following will compile and install the Lognorm plugin alongside Bro, assuming it can find the headers in a standard location:
# ./configure && make && make install
If the headers are installed somewhere non-standard, add
--with-liblognorm=<liblognorm-header-directory> respectively
--with-libfastjson=<libfastjson-header-directory> to the configure
command. If everything built and installed correctly, you should see
this:
# bro -N Bro::Lognorm
Bro::Lognorm - Log file analyzing (in development) (dynamic, version 0.3)
Usage
The plugin wraps basic liblognorm functionality by providing the lognorm opaque
type. This type allows to parse log lines based on liblognorm rule files. In case a
rule matches, an event for every tag the rule defines is scheduled. To handle these,
one needs to define an event with the corresponding name. This event may specify any
subset of fields, parsed by the rule, as arguments. Fields are mapped to arguments
by name.
The plugin comes with a small set of scripts that allow easy integration. For more
details see scripts/Bro/Lognorm/.
Notes
- The plugin is not well tested!
- Variables are implicitly converted into Bro types. Currently only
string,int,doubleandboolare supported.- In particular, the plugin does not support nested types (might be implemented on demand).
- The
unparsed_line()event cannot be used in cluster mode.- If you have any ideas or suggestions, feel free to reach out!