Hello,
I'm having trouble with logstash json parsing. I receive several events of this type:
{
"ignoreSimilarity" => false,
"message" => "19/04/22 19h47\n\nLogin:***",
"@timestamp" => 2022-04-20T09:48:17.782Z,
"dataType" => "ip",
"data" => "xx.xx.xx.xx",
"takedown" => "no",
"createdAt" => 1650448097782,
"stats" => {},
"@version" => "1",
"tlp" => 2,
"createdBy" => "mail@mail.com",
"reports" => {
"MISP_2_1" => {
"taxonomies" => [
[0] {
"level" => "info",
"predicate" => "Search",
"value" => "0 events",
"namespace" => "MISP"
}
]
},
"AbuseIPDB_1_0" => {
"taxonomies" => [
[0] {
"level" => "malicious",
"predicate" => "Records",
"value" => 4,
"namespace" => "AbuseIPDB"
}
]
},
"Onyphe_Summary_1_0" => {
"taxonomies" => [
[0] {
"level" => "malicious",
"predicate" => "Threat",
"value" => "2 threat found",
"namespace" => "Onyphe"
}
]
},
"VirusTotal_GetReport_3_0" => {
"taxonomies" => [
[0] {
"level" => "malicious",
"predicate" => "GetReport",
"value" => "61 detected_url(s)",
"namespace" => "VT"
}
]
},
"IPVoid_1_0" => {
"taxonomies" => [
[0] {
"level" => "suspicious",
"predicate" => "Blacklists",
"value" => "3/89",
"namespace" => "IPVoid"
},
[1] {
"level" => "info",
"predicate" => "Location",
"value" => "Atlanta/United States of America",
"namespace" => "IPVoid"
}
]
}
},
"id" => "~278388984",
"sighted" => false,
"ioc" => false,
"ascent" => "no",
"startDate" => 1650448097782,
"tags" => [
[0] "ip",
[1] "thehive"
]
}
And I can't figure out why, but all the fields are parsed fine, except these: (in Opensearch)
For the other fields, everything is done as it should. Here is my input, filter and output configuration :
input {
pipeline {
address => thehive
}
}
filter {
date {
match => [ "startDate","UNIX_MS" ]
target => "@timestamp"
timezone => "UTC"
}
}
output :
GNU nano 3.2 thehive-02-output.conf
output {
opensearch {
hosts => ["https://192.168.1.19:9200"]
index => "thehive"
user => "xxxx"
password => "xxxxx"
ssl => true
ssl_certificate_verification => true
cacert => "xx"
}
pipeline {
send_to => logs # pipes/logs_output.conf
}
}
input of pipeline :
input {
http_poller {
urls => {
thehive => {
url => "http://192.168.1.8:9000/api/case/artifact/_search?range=all"
method => post
user => "xxx"
password => "xxxxx"
headers => { Accept => "application/json" }
}
}
codec => "json_lines"
tags => ["thehive"]
}
}
output {
if "thehive" in [tags] {
pipeline {
send_to => thehive # pipes/thehive
}
}
}
)