Bad parsing json with logstash

Elastic Stack Logstash
1

Hello,

I'm having trouble with logstash json parsing. I receive several events of this type:

{
    "ignoreSimilarity" => false,
             "message" => "19/04/22 19h47\n\nLogin:***",
          "@timestamp" => 2022-04-20T09:48:17.782Z,
            "dataType" => "ip",
                "data" => "xx.xx.xx.xx",
            "takedown" => "no",
           "createdAt" => 1650448097782,
               "stats" => {},
            "@version" => "1",
                 "tlp" => 2,
           "createdBy" => "mail@mail.com",
             "reports" => {
                        "MISP_2_1" => {
            "taxonomies" => [
                [0] {
                        "level" => "info",
                    "predicate" => "Search",
                        "value" => "0 events",
                    "namespace" => "MISP"
                }
            ]
        },
                   "AbuseIPDB_1_0" => {
            "taxonomies" => [
                [0] {
                        "level" => "malicious",
                    "predicate" => "Records",
                        "value" => 4,
                    "namespace" => "AbuseIPDB"
                }
            ]
        },
              "Onyphe_Summary_1_0" => {
            "taxonomies" => [
                [0] {
                        "level" => "malicious",
                    "predicate" => "Threat",
                        "value" => "2 threat found",
                    "namespace" => "Onyphe"
                }
            ]
        },
        "VirusTotal_GetReport_3_0" => {
            "taxonomies" => [
                [0] {
                        "level" => "malicious",
                    "predicate" => "GetReport",
                        "value" => "61 detected_url(s)",
                    "namespace" => "VT"
                }
            ]
        },
                      "IPVoid_1_0" => {
            "taxonomies" => [
                [0] {
                        "level" => "suspicious",
                    "predicate" => "Blacklists",
                        "value" => "3/89",
                    "namespace" => "IPVoid"
                },
                [1] {
                        "level" => "info",
                    "predicate" => "Location",
                        "value" => "Atlanta/United States of America",
                    "namespace" => "IPVoid"
                }
            ]
        }
    },
                  "id" => "~278388984",
             "sighted" => false,
                 "ioc" => false,
              "ascent" => "no",
           "startDate" => 1650448097782,
                "tags" => [
        [0] "ip",
        [1] "thehive"
    ]
}

And I can't figure out why, but all the fields are parsed fine, except these: (in Opensearch)

image

For the other fields, everything is done as it should. Here is my input, filter and output configuration :

input {
  pipeline {
    address => thehive
  }
}
filter {
  date {
     match => [ "startDate","UNIX_MS" ]
     target => "@timestamp"
     timezone => "UTC"
  }
}

output :

  GNU nano 3.2                                                              thehive-02-output.conf                                                                         

output {
          opensearch {
                  hosts => ["https://192.168.1.19:9200"]
                  index => "thehive"
                  user => "xxxx"
                  password => "xxxxx"
                  ssl => true
                  ssl_certificate_verification => true
                  cacert => "xx"
        }

  pipeline {
    send_to => logs # pipes/logs_output.conf
  }

}

input of pipeline :

input {
        http_poller {
              urls => {
                      thehive => {
                                 url => "http://192.168.1.8:9000/api/case/artifact/_search?range=all"
                                 method => post
                                 user => "xxx"
                                 password => "xxxxx"
                                 headers => { Accept => "application/json" }
                      }
              }
              codec => "json_lines"
              tags => ["thehive"]
        }
}

output {
  if "thehive" in [tags] {
    pipeline {
      send_to => thehive # pipes/thehive
    }
  }
}
2

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

3

What don't you like about the way they are parsed?

4

Because I want this to create the fields "level","value", etc. in Opensearch, like this:

image

5

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.