Help in Parsing JSON Log File

Osama_Samaan · April 17, 2020, 11:41pm

Hi,

Please need your help to parse log file contains entries with JSON formated entries , each has the same format as below example :
{
"Buffer": {
"timestamp": "2017-11-03 13:32:55.840817",
"pcapfile": "file.pcap",
"packetnumber": 1
},
"Ethernet[0]": {
"ethernet_dst": "20:e5:2a:b6:93:f1",
"ethernet_src": "00:08:02:1c:47:ae",
"ethernet_type": 2048
},
"IP[1]": {
"ip_dst": "10.11.3.1",
"ip_flags": 0,
"ip_version": 4,
"ip_ihl": 5,
"ip_id": 4077,
"ip_frag": 0,
"ip_chksum": 4161,
"ip_len": 67,
"ip_src": "10.11.3.102",
"ip_ttl": 128,
"ip_proto": 17,
"ip_tos": 0
},
"UDP[2]": {
"udp_dport": 53,
"udp_sport": 53052,
"udp_len": 47,
"udp_chksum": 63483
},
"DNS[3]": {
"dns_aa": 0,
"dns_qdcount": 1,
"dns_ancount": 0,
"dns_id": 14310,
"dns_nscount": 0,
"dns_qr": 0,
"dns_rcode": 0,
"dns_ra": 0,
"dns_rd": 1,
"dns_opcode": 0,
"dns_tc": 0,
"dns_arcount": 0,
"dns_z": 0
},
"DNS Question Record[4]": {
"dns_question_record_qname": "viciouscontroller.com.",
"dns_question_record_qtype": 1,
"dns_question_record_qclass": 1
}
}

Thanks in advance

stcdarrell · April 18, 2020, 2:33am

this shouldnt be too bad.. you'll have your input .. whether thats filebeat.. or file or whatever.. use the codec => json

that will take in the intial json..

after that you'll have some filters for each of the sub-jsons.. which from your example are
Buffer
Ethernet
IP
UDP
DNS Question Record..

for each of these (hopefully they are standard in each log)
you just have a filter:

something like:

filter {
json {
source => " Buffer"
}
}

filter {
json {
source => "Ethernat[0]"
}

that should break it all up.

system · May 16, 2020, 2:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.