Fix conn.log in json format

Author: eldraco

zeek-term.py

@@ -44,10 +44,10 @@
 }
 
 # Argument parsing
-parser = argparse.ArgumentParser(description='Process log files with colored output.')
+parser = argparse.ArgumentParser(description='Process Zeek log files with colored output.')
 parser.add_argument('-f', '--foreground', action='store_true', help='Use foreground colors')
 parser.add_argument('-d', '--directory', type=str, required=True, help='Zeek log directory')
-parser.add_argument('-c', '--filter-conn', action='store_true', help='If the flow is in other file, dont show the entry from conn.log')
+parser.add_argument('-c', '--filter-conn', action='store_true', help='Filter conn.log by UID')
 parser.add_argument('-n', '--no-ts-conversion', action='store_true', help='Disable timestamp conversion')
 parser.add_argument('-t', '--timezone', type=str, default='UTC+2', help='Timezone (e.g. UTC+2)')
 
@@ -88,7 +88,7 @@ def process_text_log_line(log_type, parts):
 
     record = dict(zip(header, parts))
 
-    if not args.no_ts_conversion and 'ts' in record:
+    if not args.no_ts_conversation and 'ts' in record:
         record['ts'] = convert_ts(record['ts'])
 
     if log_type == 'files' and 'uid' in record:
@@ -110,9 +110,8 @@ def process_json_log_line(log_type, data):
     if not args.no_ts_conversion and 'ts' in data:
         data['ts'] = convert_ts(data['ts'])
 
-    if 'uid' in data:
-        if log_type != 'conn':
-            uids.add(data['uid'])
+    if 'uid' in data and log_type != 'conn':
+        uids.add(data['uid'])
 
     if log_type == 'conn':
         conn_entries.append(data)
@@ -124,7 +123,7 @@ def process_json_log_line(log_type, data):
         ] + [str(v) for k, v in data.items() if k not in ('ts', 'uid')])
         log_entries.append((line, color_scheme[log_type]))
 
-# Read each log file
+# Read and process each log file
 for log_type, filename in file_patterns.items():
     filepath = os.path.join(args.directory, filename)
     if os.path.isfile(filepath):
@@ -141,40 +140,40 @@ def process_json_log_line(log_type, data):
                         process_text_log_line(log_type, parts)
 
 # Handle conn.log with optional UID filtering
-# -------------------------------------------
-# This block processes all collected connection records (conn.log).
-# It checks whether each connection's UID is already present in other logs,
-# and optionally filters them out if the --filter-conn flag is set.
-# The idea is that if the flow is on other file appart from conn.log, 
-# you know it has a conn.log entry, so dont show it
 for record in conn_entries:
     uid = record.get('uid', '-')
     if args.filter_conn and uid in uids:
         continue
+
     ts_val = record.get('ts', '0')
     ts_str = ts_val if args.no_ts_conversion or ' ' in str(ts_val) else convert_ts(ts_val)
+
+    # Determine fields to print
+    fields = log_headers.get('conn')
+    if not fields:
+        fields = sorted(k for k in record.keys() if k not in ('ts', 'uid'))
+
     line = '\t'.join([
         ts_str,
         'conn',
         uid
-    ] + [record.get(k, '-') for k in log_headers.get('conn', []) if k not in ('ts', 'uid')])
+    ] + [str(record.get(k, '-')) for k in fields])
     log_entries.append((line, color_scheme['conn']))
 
-# Sort all log entries by timestamp (handles both raw and formatted timestamps)
+# Sort log entries by timestamp (handles both formatted and raw timestamps)
 def extract_ts(entry):
     ts_str = entry[0].split('\t')[0]
     try:
         if ' ' in ts_str:
-            ts_main = ' '.join(ts_str.split(' ')[:2])  # "YYYY-MM-DD HH:MM:SS.microsec"
+            ts_main = ' '.join(ts_str.split(' ')[:2])  # e.g. '2025-03-31 08:41:08.271441'
             return datetime.strptime(ts_main, "%Y-%m-%d %H:%M:%S.%f").timestamp()
-        else:
-            return float(ts_str)
+        return float(ts_str)
     except:
         return 0
 
 log_entries.sort(key=extract_ts)
 
-# Output
+# Print results
 for line, color in log_entries:
     print(f"{color}{line}{reset_color}")