This plugin aims at integrating liblognorm into Bro and is under development.

The plugin is based on liblognorm, which requires libfastjson. Make sure both libraries are available including their headers, which are required to build this plugin.

The plugin is available as package for the Bro Package Manager and can be installed using the following command:

bro-pkg install bro-lognorm

To install uncompiled plugins, Bro's source code must be available to the package manager (see package manager's documentation for more information).

The following will compile and install the Lognorm plugin alongside Bro, assuming it can find the headers in a standard location:

# ./configure && make && make install

If the headers are installed somewhere non-standard, add --with-liblognorm=<liblognorm-header-directory> respectively --with-libfastjson=<libfastjson-header-directory> to the configure command. If everything built and installed correctly, you should see this:

# bro -N Bro::Lognorm
    Bro::Lognorm - Log file analyzing (in development) (dynamic, version 0.3)

The plugin wraps basic liblognorm functionality by providing the lognorm opaque type. This type allows to parse log lines based on liblognorm rule files. In case a rule matches, an event for every tag the rule defines is scheduled. To handle these, one needs to define an event with the corresponding name. This event may specify any subset of fields, parsed by the rule, as arguments. Fields are mapped to arguments by name.

The plugin comes with a small set of scripts that allow easy integration. For more details see scripts/Bro/Lognorm/.

• The plugin is not well tested!
• Variables are implicitly converted into Bro types. Currently only string, int, double and bool are supported.
• In particular, the plugin does not support nested types (might be implemented on demand).
• The unparsed_line() event cannot be used in cluster mode.
• If you have any ideas or suggestions, feel free to reach out!