input {
stdin { }
}
output { stdout { codec => rubydebug } }
filter {
json {
source => "message"
}
mutate {
gsub => [ "message" , "\n", "," ] }
mutate {
gsub => [ "message" , "[\]", "" ]
gsub => [ "other_logs" , "[\\n]", "," ]
split => ["other_logs" , ","]
add_field => { "Client SSH" => "%{[other_logs][2]}" }
add_field => { "User" => "%{[other_logs][3]}" }
add_field => { "Password" => "%{[other_logs][4]}" }
}
}
My output is something like that
"aka_vulnerability" => false,
"Password" => "Password:packet",
"Client SSH" => "Client SSH:SSH-2.0-libssh-0.6.3",
"service" => "ssh",
"timestamp" => "2020-07-02 08:00:10",
"host" => "xyz",
"@version" => "1",
"target_ips" => {
"1.1.1.1" => {
"port" => "22"
}
},
"message" => "{"aka_vulnerability": false, "service": "ssh", "timestamp": "2020-07-02 08:00:10", "target_ips": {"1.1.1.1": {"port": "22"}}, "source_ip": "2.2.2.2", "other_logs": "Start Attack:"2020-07-02 08:00:10"nEnd Attack:"2020-07-02 08:00:10"nClient SSH:SSH-2.0-libssh-0.6.3nUser:packetnPassword:packet", "source_hostname": "-", "source_port": "11818", "subject": "Brute Force"}",
"subject" => "Brute Force",
"User" => "User:packet",
"source_hostname" => "-",
"other_logs" => [
[0] "Start Attack:"2020-07-02 08:00:10"",
[1] "End Attack:"2020-07-02 08:00:10"",
[2] "Client SSH:SSH-2.0-libssh-0.6.3",
[3] "User:packet",
[4] "Password:packet"
],
I would like to know how is possible to extract the fields inside the "target_ips"
Thank you