How to extract data from Json

rildo · October 19, 2020, 7:12pm

input {

stdin { }

}


output { stdout { codec => rubydebug } }

filter {

json {

source => "message"

}

mutate {

gsub => [ "message" , "\n", "," ] }

 

mutate {

gsub => [ "message" , "[\]", "" ]

gsub => [ "other_logs" , "[\\n]", "," ]

split => ["other_logs" , ","]

add_field => { "Client SSH" => "%{[other_logs][2]}" }

add_field => { "User" => "%{[other_logs][3]}" }

add_field => { "Password" => "%{[other_logs][4]}" }

}

}

My output is something like that

"aka_vulnerability" => false,

"Password" => "Password:packet",

"Client SSH" => "Client SSH:SSH-2.0-libssh-0.6.3",

"service" => "ssh",

"timestamp" => "2020-07-02 08:00:10",

"host" => "xyz",

"@version" => "1",

"target_ips" => {

"1.1.1.1" => {

"port" => "22"

}

},

"message" => "{"aka_vulnerability": false, "service": "ssh", "timestamp": "2020-07-02 08:00:10", "target_ips": {"1.1.1.1": {"port": "22"}}, "source_ip": "2.2.2.2", "other_logs": "Start Attack:"2020-07-02 08:00:10"nEnd Attack:"2020-07-02 08:00:10"nClient SSH:SSH-2.0-libssh-0.6.3nUser:packetnPassword:packet", "source_hostname": "-", "source_port": "11818", "subject": "Brute Force"}",

"subject" => "Brute Force",

"User" => "User:packet",

"source_hostname" => "-",

"other_logs" => [

[0] "Start Attack:"2020-07-02 08:00:10"",

[1] "End Attack:"2020-07-02 08:00:10"",

[2] "Client SSH:SSH-2.0-libssh-0.6.3",

[3] "User:packet",

[4] "Password:packet"

],

I would like to know how is possible to extract the fields inside the "target_ips"

Thank you

Badger · October 19, 2020, 7:36pm

What do you mean by that? What do you want the fields to look like?

rildo · October 19, 2020, 11:14pm

I would like to extract the target_ips fields and put it another fields something like that

"Destiny IP" => " 1.1.1.1"
"Destiny Port" => "22"

I tried to do it, but doesn't work

mutate { 
    add_field => { "Destiny IP" => "%{[target_ips][0]}" }
    add_field => { "Destiny Port" => "%{[target_ips][1]}" }
        }
}

Badger · October 19, 2020, 11:26pm

[target_ips] is not an array, it is a hash, so you cannot refer to it as

[target_ips][0]

If, when there are multiple targets it switches to an array of hashes you would need more complicated code, but I would start with something like

ruby
    code => '
        t = event.get("target_ips")
        t.each { |k, v|
            event.set("dstIp", k)
            event.set("dstPort", v["port"])
        }
    '
}

rildo · October 20, 2020, 12:25pm

Badger,

Thank you a lot , it worked perfectly .

system · November 17, 2020, 12:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.