Adding nested Json array as their own fields in Elasticsearch [6.2]


(Peter Boer) #1

Hello,

I am trying to detected services on hosts on my local network using Nmap and the version detection option (-sV). I then want to input this data via JSON into my database.

When indexing the data I'm getting the notification that JSON object arrays (multiple ports per host) are not very well supported and that they aren't indexed as their own fields. I'm looking for a way to index this json file so that they become their own fields.

sample Json:
{
"host": {
"status": {
"_state": "up",
"_reason": "echo-reply",
"_reason_ttl": "60"
},
"address": {
"_addr": "xxx.xxx.xxx.xxx",
"_addrtype": "ipv6"
},
"hostnames": {
"hostname": {
"_name": "xxxxxx.com",
"_type": "PTR"
}
},
"ports": {
"extraports": {
"extrareasons": {
"_reason": "no-responses",
"_count": "994"
},
"_state": "filtered",
"_count": "994"
},
"port": [
{
"state": {
"_state": "closed",
"_reason": "reset",
"_reason_ttl": "60"
},
"service": {
"_name": "ftp-data",
"_method": "table",
"_conf": "3"
},
"_protocol": "tcp",
"_portid": "20"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:vsftpd:vsftpd",
"_name": "ftp",
"_product": "vsftpd",
"_version": "2.0.8 or later",
"_hostname": "Welcome",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "21"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:openbsd:openssh:5.3",
"_name": "ssh",
"_product": "OpenSSH",
"_version": "5.3",
"_extrainfo": "protocol 2.0",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "22"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:apache:http_server:2.2.15",
"_name": "http",
"_product": "Apache httpd",
"_version": "2.2.15",
"_extrainfo": "(CentOS)",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "80"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"cpe": "cpe:/a:apache:http_server:2.2.15",
"_name": "http",
"_product": "Apache httpd",
"_version": "2.2.15",
"_extrainfo": "(CentOS)",
"_tunnel": "ssl",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "443"
},
{
"state": {
"_state": "open",
"_reason": "syn-ack",
"_reason_ttl": "60"
},
"service": {
"_name": "rsync",
"_extrainfo": "protocol version 31",
"_method": "probed",
"_conf": "10"
},
"_protocol": "tcp",
"_portid": "873"
}
]
},
"times": {
"_srtt": "1392",
"_rttvar": "258",
"_to": "50000"
},
"_starttime": "1527320392",
"_endtime": "1527320668"
}
}

I am new to using the Elastic Stack, so I think I probably need to to something with filters in my configuration file, but don't know exactly where to begin


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.