Follow

Structured logging offers a variety of advantages, including simpler parsing, easier format conversion, and more flexible classification and correlation of events, even across diverse log sources nxlog.co/whitepapers/structure

@superruserr
Do you know some good programs to read structured logs? That have filter and order capabilities. Terminal or GUI. I was looking for it recently but couldn't really find one.

@stevenroose

Maybe you mean programs to convert logs to structured logs. You can use just tail terminal or tail GUI to view any log source. What you want is to rewrite/convert them to structured format.

@superruserr
No what I was looking for was a program to view those structures logs. Our software already produces structured logs.
I'm looking for a program that can easily do filters by field (f.e. .severity == "warning" and .subsystem == "rpcserver") and such operations. Currently I use jq filters, but that means typing the filter manually.

@stevenroose @superruserr We're very happy with Graylog for collecting and viewing all our logs.

@raucao
Hmm, thanks for the suggestion :) I was more looking for a local-style app. Like for inspecting local log files either taken from a machine or produced while testing.
@superruserr

@stevenroose I can only think of running the app locally and forwarding the structured logs there. ie I run Splunk locally on a Windows EC2 instance and configure to send my logs to Splunk via TCP localhost.
There is surely some lightweight solutions, since Splunk is slightly more than log search/management.

@raucao @superruserr
Yeah that's what I'm doing now. jq, (rip)grep and pipes.

@stevenroose Log management software do filters and alerts - Splunk, ELK, Graylog can do filters, Graylog open source

@stevenroose

{
"timestamp": "2019-07-03T01:32:24.000Z",
"facility": "USER_LEVEL_MESSAGES",
"severity": "INFORMATIONAL",
"hostname": "AWS.server.com", "appname": "Microsoft-Windows-DHCP-Server",
"source_data": "Message"
}

is structured vs this single line log without the above key value pairs.

07 Jul 2019 09:54:38.3562019-07-07 09:54:36 AWS.server.com INFO 74 LOG\Administrator Scope: [[172.220.0.0]Test] for IPv4 is DeActivated by LOG\Administrator.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.