Adding nested Json array as their own fields in Elasticsearch [6.2]

Peter_Boer · May 26, 2018, 1:50pm

Hello,

I am trying to detected services on hosts on my local network using Nmap and the version detection option (-sV). I then want to input this data via JSON into my database.

When indexing the data I'm getting the notification that JSON object arrays (multiple ports per host) are not very well supported and that they aren't indexed as their own fields. I'm looking for a way to index this json file so that they become their own fields.

sample Json:
{
"host": {
"status": {
"_state": "up",
"_reason": "echo-reply",
"_reason_ttl": "60"
},
"address": {
"_addr": "xxx.xxx.xxx.xxx",
"_addrtype": "ipv6"
},
"hostnames": {
"hostname": {
"_name": "xxxxxx.com",
"_type": "PTR"
}
},
"ports": {
"extraports": {
"extrareasons": {
"_reason": "no-responses",
"_count": "994"
},
"_state": "filtered",
"_count": "994"
},
"port": [
{
"state": {
"_state": "closed",
"_reason": "reset",
"_reason_ttl": "60"
},
"service": {
"_name": "ftp-data",
"_method": "table",
"_conf": "3"
},
"_protocol": "tcp",
"_portid": "20"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:vsftpd:vsftpd",
"_name": "ftp",
"_product": "vsftpd",
"_version": "2.0.8 or later",
"_hostname": "Welcome",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "21"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:openbsd:openssh:5.3",
"_name": "ssh",
"_product": "OpenSSH",
"_version": "5.3",
"_extrainfo": "protocol 2.0",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "22"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:apache:http_server:2.2.15",
"_name": "http",
"_product": "Apache httpd",
"_version": "2.2.15",
"_extrainfo": "(CentOS)",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "80"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:apache:http_server:2.2.15",
"_name": "http",
"_product": "Apache httpd",
"_version": "2.2.15",
"_extrainfo": "(CentOS)",
"_tunnel": "ssl",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "443"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"_name": "rsync",
"_extrainfo": "protocol version 31",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "873"
}
]
},
"times": {
"_srtt": "1392",
"_rttvar": "258",
"_to": "50000"
},
"_starttime": "1527320392",
"_endtime": "1527320668"
}
}

I am new to using the Elastic Stack, so I think I probably need to to something with filters in my configuration file, but don't know exactly where to begin

system · June 23, 2018, 1:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.