Khika Data Format

From khika
Jump to navigation Jump to search

KHIKA Data Format is simple single line string format with epoch time at the beginning of each message, followed by a colon (":") character, followed by key-value pairs. Every message must have one event_str key and value. Other key-value pairs are optional

KHIKA Data Format EPOCH_TIME : key1 value1 key2 value2 key3 value3.............keyn valuen event_str "value of event_str"

Example: 1559126565 : tl_src_host my_laptop src_ip dst_ip src_port 176532 dst_port 53 event_str firewall_message

Though it is not compulsory, we HIGHLY recommend to enclose every key and value in double quotes. This is to take care of any space characters within key or value.

So, above message is better formatted as below

1559126565 : "tl_src_host" "my_laptop" "src_ip" "" "dst_ip" "" "src_port" "176532" "dst_port" "53" "event_str "firewall_message"

Typically, an Adapter script is responsible for reading the raw messages line-by-line, apply parsing logic using regular expressions and date-time functions to covert the raw message into KHIKA Data format and write on stdout.

We encourage you to read section on Writing you own KHIKA Data Adapters