Hi all,
Been stuck on this since yesterday, and now I'm at a loss.
Basically: Using the Azure EventHub input plugin, I'm ingesting Azure logs from various sources, one of the being Azure SQL Audit logs, which are all in JSON format.
In my filters, I'm doing a split on the message
field, with the output being in the records
field, and then I remove the unparsed message
field.
Now, I have some data that I don't care about, and want to drop them based on values in the records.properties.action_id
and records.category
fields.
I've tried multiple different things, none of them are working.
My latest attempt looks something like that, which makes the Logstash parser explode:
if [type] == "azure_event_hub" {
json {
source => "message"
}
split {
field => ["records"]
}
mutate {
remove_field => [ "message" ]
}
if %{[records][category]} == "SQLSecurityAuditEvents" and %{[records][properties][action_id]} !~ "DBAF" and %{[records][properties][action_id]} !~ "DBAS" {
drop { }
}
}
Here is my sanitised data from ElasticSearch. How should I go about doing what I need to do ?
Thanks in advance!
{
"_index": "devops-diagsettings-2021.07.12",
"_type": "_doc",
"_id": "EG3GnHoBPvXLUEB8vkm0",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2021-07-12T22:11:47.560Z",
"type": "azure_event_hub",
"tags": [
"azure-event-hub",
"prod-a-azure",
"prod"
],
"records": {
"originalEventTimestamp": "2021-07-12T22:10:37.5830011Z",
"ResourceGroup": "<redacted>",
"SubscriptionId": "<subid>",
"category": "SQLSecurityAuditEvents",
"operationName": "AuditEvent",
"resourceId": "/SUBSCRIPTIONS/<redacted>/RESOURCEGROUPS/<redacted>/PROVIDERS/MICROSOFT.SQL/SERVERS/<redacted>/DATABASES/MASTER",
"LogicalServerName": "<sqlservername>",
"properties": {
"sequence_number": 1,
"securable_class_type": "DATABASE",
"permission_bitmask": "00000000000000000000000000000000",
"data_sensitivity_information": "",
"database_name": "<redacted>",
"client_tls_version": 0,
"session_context": "",
"object_name": "<redacted>",
"connection_id": "25F8F4D8-E17D-4F7C-885C-7973EC0304E9",
"server_instance_name": "<redacted>",
"succeeded": "true",
"is_server_level_audit": "true",
"user_defined_event_id": 0,
"target_server_principal_id": 0,
"server_principal_id": 0,
"additional_information": "<batch_information><transaction_info>begin transaction</transaction_info></batch_information>",
"user_defined_information": "",
"audit_schema_version": 1,
"class_type_description": "DATABASE",
"response_rows": 0,
"session_id": 710,
"host_name": "<redacted>",
"sequence_group_id": "18054C2A-C110-4581-9E5E-2BD88F4D6AB8",
"is_column_permission": "false",
"affected_rows": 0,
"action_id": "TRBC",
"transaction_id": 9911978212,
"session_server_principal_name": "<redacted>",
"target_database_principal_name": "",
"server_principal_name": "<redacted>",
"target_server_principal_sid": "",
"target_server_principal_name": "",
"object_id": 15,
"duration_milliseconds": 0,
"class_type": "DB",
"database_principal_id": 7,
"event_id": "C93A3EC8-5048-441F-970F-39F15EE29FBE",
"target_database_principal_id": 0,
"event_time": "2021-07-12T22:10:36.611Z",
"server_principal_sid": "01060000000100640000000000000000ec17c3056c3eae489eb40392a128c97a",
"client_ip": "<redacted>",
"database_principal_name": "<redacted>",
"statement": "",
"schema_name": "",
"application_name": ".Net SqlClient Data Provider",
"action_name": "TRANSACTION BEGIN COMPLETED"
},
"time": "2021-07-12T22:10:37.5959728Z"
},
"@version": "1"
},
"fields": {
"@timestamp": [
"2021-07-12T22:11:47.560Z"
],
"records.time": [
"2021-07-12T22:10:37.595Z"
],
"records.originalEventTimestamp": [
"2021-07-12T22:10:37.583Z"
],
"records.properties.event_time": [
"2021-07-12T22:10:36.611Z"
]
},
"highlight": {
"records.category": [
"@kibana-highlighted-field@SQLSecurityAuditEvents@/kibana-highlighted-field@"
]
},
"sort": [
1626127907560,
1626127837583
]
}