Input Json
{"transaction":{"time":"26/Jan/2024:00:54:31 +0530","transaction_id":"16645304250678661185","remote_address":"141.98.7.28","remote_port":80,"local_address":"127.0.0.1","local_port":80},"request":{"request_line":"GET / HTTP/1.1","headers":{"Host":"95.217.32.181:80","User-Agent":"Hello World"}},"response":{"protocol":"HTTP/1.1","status":0,"headers":{}},"audit_data":{"messages":["Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host. [file \"C:\\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"810\"] [id \"920350\"] [rev \"2\"] [msg \"Host header is a numeric IP address\"] [data \"95.217.32.181:80\"] [severity \"WARNING\"] [ver \"OWASP_CRS/3.0.0\"] [maturity \"9\"] [accuracy \"9\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\"] [tag \"WASCTC/WASC-21\"] [tag \"OWASP_TOP_10/A7\"] [tag \"PCI/6.5.10\"]"],"handler":"IIS","stopwatch":{"p1":2047,"p2":1004,"p3":0,"p4":0,"p5":2048,"sr":2047,"sw":0,"l":0,"gc":2048},"producer":["ModSecurity for IIS (STABLE)/2.9.3 (http://www.modsecurity.org/)","OWASP_CRS/3.0.2"],"server":"ModSecurity Standalone","engine_mode":"ENABLED"}}
logstash.conf
input {
file{
path => "/tmp/modsec.log"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => json
}
}
filter {
split { field => "[audit_data][messages]"}
mutate { remove_field => ["[event][original]"] }
mutate { remove_field => ["[request][headers][User-Agent]"] }
if [response][body] {
mutate { remove_field => ["[response][body]"] }
}
mutate { remove_field => ["[audit_data][stopwatch]"] }
mutate { remove_field => ["[audit_data][producer]"] }
mutate { remove_field => ["[audit_data][server]"] }
mutate { remove_field => ["[audit_data][engine_mode]"] }
grok {
match => { "[audit_data][messages]" => '%{GREEDYDATA:audit_message} \[file \\"%{DATA:rule_file}".*msg \\"%{DATA:audit_msg}"\].*\[severity \\"%{DATA:sevirity}"'}
}
}
output {
file {
codec => json
path => "/tmp/logstash_out.log"
}
}
All I want to create 4 seperate field from each of [audit_data][messages]
which has quotes, blackslashes etc. (This input has only 1 item in array btw.)
["Warning. Pattern match \"^[\\\\d.:]+$\" at REQUEST_HEADERS:Host. [file \"C:\\/Program Files/ModSecurity IIS/owasp_crs/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf\"] [line \"810\"] [id \"920350\"] [rev \"2\"] [msg \"Host header is a numeric IP address\"] [data \"95.217.32.181:80\"] [severity \"WARNING\"] [ver \"OWASP_CRS/3.0.0\"] [maturity \"9\"] [accuracy \"9\"] [tag \"application-multi\"] [tag \"language-multi\"] [tag \"platform-multi\"] [tag \"attack-protocol\"] [tag \"OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST\"] [tag \"WASCTC/WASC-21\"] [tag \"OWASP_TOP_10/A7\"] [tag \"PCI/6.5.10\"]
- audit_message
- rule_file
- audit_msg
- Severity
Debugger is working here
I am getting everything else in output file. Only grok pattern not working in logstash. Why ? How do I make it work ?