Formats
A format is the bridge between raw bytes and structured data. A format provides a parser and/or printer:
- Parser: translates raw bytes into structured event data
- Printer: translates structured events into raw bytes
Parsers and printers interact with their corresponding dual from a connector:
Formats appear as an argument to the read and
write operators:
read <format> [from <connector>]
write <format> [to <connector>]
If the connector is omitted, the default is stdin or stdout.
Tenzir ships with the following formats:
📄️ cef
Parses events in the Common Event Format (CEF).
📄️ csv
The csv format is a configuration of the xsv format:
📄️ feather
Reads and writes the Feather file format.
📄️ json
Reads and writes JSON.
📄️ lines
Parses events as lines.
📄️ netflow
Reads NetFlow v5, v9, and IPFIX.
📄️ parquet
Reads events from a Parquet file. Writes events to a Parquet file.
📄️ pcap
Reads and writes raw network packets in PCAP file format.
📄️ ssv
The ssv format is a configuration of the xsv format:
📄️ suricata
Reads Suricata's EVE JSON output. The parser is an alias
📄️ tsv
The tsv format is a configuration of the xsv format:
📄️ xsv
Reads and writes lines with separated values.
📄️ yaml
Reads and writes YAML.
📄️ zeek-json
The zeek-json format is an alias for json with the arguments:
📄️ zeek-tsv
Reads and writes Zeek tab-separated values.