zeekparse

A log parser for common zeek text logs in Go. Allows you to query logs using logic written in Go.

This is a WIP and currently supports parsing the following logs:

dns.log
conn.log
http.log
ssl.log
x509.log

Use Case

This was made because I want to do data analysis on network logs I have been collecting which are mostly in Zeek/Bro IDS text format. These are compact files and can be retained for a longer period compared to full packet captures. Analyzing them quickly is typically done with zeekcut but I wanted to have more control over the logic in order to make it repeatable. This is what zeekparse is meant to do; parse the text logs that Zeek creates by default so that you can write your logic and analyze them in Go.

My plan is to support these logs: dns, conn, http, ssl, ssh and dhcp.

Status

handles gz compressed and uncompressed files
Can parse values from headers.
Can parse log entries into Go structures.
Can parse dns.log entries.
Can parse conn.log entries.
Can parse http.log entries.
Can parse ssl.log entries.
Can parse x509.log entries.

Still to-do

Can parse dhcp.log entries.

Name		Name	Last commit message	Last commit date
Latest commit History 81 Commits
.github/workflows		.github/workflows
examples		examples
test_input		test_input
.gitignore		.gitignore
LICENSE.md		LICENSE.md
Makefile		Makefile
README.md		README.md
common.go		common.go
common_test.go		common_test.go
conn.go		conn.go
conn_test.go		conn_test.go
dns.go		dns.go
dns_test.go		dns_test.go
go.mod		go.mod
go.sum		go.sum
header.go		header.go
header_test.go		header_test.go
http.go		http.go
http_test.go		http_test.go
logparse.go		logparse.go
logparse_test.go		logparse_test.go
ssl.go		ssl.go
ssl_test.go		ssl_test.go
x509.go		x509.go
x509_test.go		x509_test.go

License

jakubd/zeekparse

Folders and files

Latest commit

History

Repository files navigation

zeekparse

Use Case

Status

Still to-do

About

Topics

Resources

License

Stars

Watchers

Forks

Languages