My recent obsession has been creating all of my logs in JSON format. The reasons for that are pretty simple: I like to log with Elasticsearch, so creating JSON formatted logs makes working with Elasticsearch easier. Command line tools like ‘jq’ make parsing JSON logs on the command line simpler than “good old” standard Syslog format and a string of ‘cut,’ ‘sed,’ and ‘awk’ commands.
Article Link: InfoSec Handlers Diary Blog - SANS Internet Storm Center