There are 2 means of getting logs written in JSON format.
Use Zeek built-in functionality
local.bro file add the following:
@load tuning/json-logs redef LogAscii::use_json=T;
This will cause the logs to be written only in JSON format.
Use the add-json Zeek package
After installing the package using
bro-pkg install add-json (you first need to have
bro-pkg installed by using the instructions available at https://bro-package-manager.readthedocs.io/en/stable/) add the following to your
This provides greater flexibility than the native JSON format described above. In addition you get logs both in ASCII (tab delimited format) and in JSON format. Full documentation can be found on GitHub: https://github.com/J-Gras/add-json.