[Oisf-users] Change delimiter in fast.log
Jacob King
jake at hootsuite.com
Wed Apr 13 15:48:45 UTC 2016
Thanks Jason -
Late last night I ended up using the eve-log output to parse out what I
needed. This should be sufficient for now.
Thanks!
Jake
On Wed, Apr 13, 2016 at 8:30 AM, Jason Ish <lists at unx.ca> wrote:
> On Tue, Apr 12, 2016 at 1:35 PM, Jacob King <jake at hootsuite.com> wrote:
> > I wanted to know if there was a method for changing the delimiter
> character:
> >
> > 04/12/2016-10:00:26.390382 [**] [1:2013926:8] ET POLICY HTTP traffic on
> > port 443 (POST) [**] [Classification: Potentially Bad Traffic]
> [Priority: 2]
> > {TCP} XX.XX.XX.XX:XXXXX -> XX.XX.XX.XX:443
> >
> > I noticed that it is contstantly set as the [**] string, and I wanted to
> > change it to a single unicode char that i can parse easily with some log
> > analysis tools. It appears to be consistent along dns, http and https.
> >
> > Any help would be appreciated.
>
> There is no official way to do this, you would have to modify the
> code. But I'd highly suggest looking at the JSON output (eve-log). Its
> very easy to parse, then mangle with Python, Perl most other
> languages.
>
> Jason
>
--
id: 7898659753248090
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20160413/86634632/attachment-0002.html>
More information about the Oisf-users
mailing list