Hi all,
I want to monitir aws waf2 logs with elastic search.
I tried to insert data in elasticsearch with logstash.
I faced some problems.
shortly below is the json format data
{
"nonTerminatingMatchingRules" : [
{
"ruleId" : "AWS-AWSManagedRulesCommonRuleSet",
"action" : "COUNT"
}
],
"ruleGroupList" : [
{
"excludedRules" : null,
"nonTerminatingMatchingRules" : [ ],
"ruleGroupId" : "arn:aws:wafv2:xxxx:xxxx:regional/rulegroup/HTTP_Header_Injection/xxxxx",
"terminatingRule" : null
},
{
"excludedRules" : null,
"nonTerminatingMatchingRules" : [ ],
"ruleGroupId" : "AWS#AWSManagedRulesCommonRuleSet",
"terminatingRule" : {
"ruleId" : "SizeRestrictions_BODY",
"action" : "BLOCK"
}
}
],
"action" : "ALLOW",
}
I really want to parsing ruleGroupList area.
If I use split filter in logstash, only one data is remained as below.
filter {
split { field => "[ruleGroupList]" }
}
==>
ruleGroupList" : {
"ruleGroupId" : "AWS#AWSManagedRulesCommonRuleSet",
"nonTerminatingMatchingRules" : [ ],
"terminatingRule" : {
"action" : "BLOCK",
"ruleId" : "SizeRestrictions_BODY"
},
"excludedRules" : null
},
only one data is remaind, even if two data was exist originally.
How to parse correctly, please let me know.
Thanks.