[Oisf-users] Change delimiter in fast.log
Jason Ish
lists at unx.ca
Wed Apr 13 15:30:49 UTC 2016
On Tue, Apr 12, 2016 at 1:35 PM, Jacob King <jake at hootsuite.com> wrote:
> I wanted to know if there was a method for changing the delimiter character:
>
> 04/12/2016-10:00:26.390382 [**] [1:2013926:8] ET POLICY HTTP traffic on
> port 443 (POST) [**] [Classification: Potentially Bad Traffic] [Priority: 2]
> {TCP} XX.XX.XX.XX:XXXXX -> XX.XX.XX.XX:443
>
> I noticed that it is contstantly set as the [**] string, and I wanted to
> change it to a single unicode char that i can parse easily with some log
> analysis tools. It appears to be consistent along dns, http and https.
>
> Any help would be appreciated.
There is no official way to do this, you would have to modify the
code. But I'd highly suggest looking at the JSON output (eve-log). Its
very easy to parse, then mangle with Python, Perl most other
languages.
Jason
More information about the Oisf-users
mailing list