I have got a project to perform complex event processing of bro logs in order to detect any security lags or attacks and so. I have done initial survey and find out that bro generates various log files and I can make WSO2 CEP to take those files and write Siddhi queries for event processing. As event receiver of WSO2 CEP takes xml, json or text as message format, have I to change format of bro log files or they can work as it is? As I didn't happen to find any sample of WSO2CEP taking standard log files as event receiver?
Fortunately bro support json format for log files.
I just modified some default options in ascii.bro file like
# to use json instead of `tsv` for all log files. It was F bydefault
const use_json = T &redef;
# to display timestamps in a standard format
const json_timestamps:JSON::TimestampFormat = JSON::TS_ISO8601 &redef;
And now I am getting all logs in required format.