Hi,
I am trying to parse some events from Auditd, the values have been extracted but the commands executed are coming in hexadecimal format.
Can anyone help how to convert it to ASCII in a logstash pipeline using mutate.
I found a way to convert integer to hex using ruby
mutate { add_field => { "someField" => 65533 } }
ruby { code => 'event.set("hexField", event.get("someField").to_i.to_s(16))' }
I am not an expert on ruby so not able to do it other way round.
Ankit
Hi there,
doesn't it work the other way round? I mean in ruby:
Can you post here some samples of this hexadecimal field and how you'd like it to be converted into?
Thanks
Hi Fabio,
69707461626C65732D726573746F7265002D770035002D2D6E6F666C757368002D2D636F756E74657273 (converted value = iptables-restore-w5--noflush--counters )
66696C6562656174002D65002D7374726963742E7065726D733D66616C7365002D6300636F6E6669672F66696C65626561742E796D6C (converted value = filebeat-e-strict.perms=false-cconfig/filebeat.yml )
There are basically commands in linux logged by auditd in the log files that I am trying to parse.
I wrote a ruby code for conversion as well :
ruby { code => "event.set('command', event.get('command').pack('H*'))" }
But Logstash is tagging these events as _rubyexception.
Also getting below error in LS logs:
[ERROR] 2020-03-06 14:52:06.405 [[main]>worker9] ruby - Ruby exception occurred: undefined method `pack' for nil:NilClass
Thanks!
Found the solution here:
ruby { code => "event.set('somefield'),event.get('hex-field').split.pack('H*'))"}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.