When parsing through bro log files, the bro-cut command was simple. But now that files are being written in JSON format, it ain’t so easy. At least for me, as I can’t find any good resources yet on querying these files. But I have found a work around.
So this is the example. I want to parse the X.509 file, and look for any X.509 certificates that may obviously look bad, for example really short ones with the issuer like “me”. The following is one way of doing it.
cat x509.log | jq '.' | grep issuer | cut -d ':' -f 2 | sort -u | uniq -c | more
The “jq ‘.’ ” essentially says to output everything. This is then passed to grep, looking for the lines that contain “issuer”. The output of this is then passed to the cut command, where we use the colon as the delimeter, and then select the second field. We then do a unique sort with a count and then pipe it to more to go through line by line.