JSON file parse error

ichasco_heytrade · July 18, 2022, 9:42am

Hi, I am trying to parse a JSON file with this structure:

[
  {
    "plugin": "cloudtrailBucketAccessLogging",
    "category": "CloudTrail",
    "title": "CloudTrail Bucket Access Logging",
    "description": "Ensures CloudTrail logging bucket has access logging enabled to detect tampering of log files",
    "resource": "arn:aws:s3:::cloudtrail",
    "region": "eu-west-1",
    "status": "FAIL",
    "message": "Unable to locate S3 bucket, it may have been deleted",
    "compliance": "CIS1: 2.6 Ensure CloudTrail bucket access logging is enabled"
  },
  {
    "plugin": "cloudtrailToCloudwatch",
    "category": "CloudTrail",
    "title": "CloudTrail To CloudWatch",
    "description": "Ensures CloudTrail logs are being properly delivered to CloudWatch",
    "resource": "arn:aws:cloudtrail:eu-west-1:XXXXXXXX:trail/CloudTrail",
    "region": "us-east-1",
    "status": "FAIL",
    "message": "CloudTrail CloudWatch integration is not enabled",
    "compliance": "CIS1: 2.4 Ensure CloudTrail trails are integrated with CloudWatch Logs"
  }
]

But I am getting errors. Is there any way to parse this kind of files?

Thanks!

Badger · July 18, 2022, 3:14pm

What configuration are you using to parse it and what errors are you gettting?

ichasco_heytrade · July 19, 2022, 8:58am

Here is my configuration.I have tried several different configuration that I have found from your answers in posts.

s3 {
          access_key_id       => "${vault:devops/data/AWS/IAM/Users/Logstash#ACCESS_KEY_ID}"
          secret_access_key   => "${vault:devops/data/AWS/IAM/Users/Logstash#SECRET_ACCESS_KEY}"
          bucket              => "devops-vulnerabilities"
          region              => "eu-west-1"
          prefix              => "AWS/CloudSploit"
          codec               => multiline { 
                                  pattern => "^Spalanzani"
                                  negate => true
                                  what => previous
                                  auto_flush_interval => 1
                                }
          #codec               => "json"
          add_field           => { "Vulnerability" => "true" }
          additional_settings => {
            force_path_style => true
            follow_redirects => false
          }
        }
....
filter {
        if [Vulnerability] == "true" {
          split { field => "someField" }
        }
      }

Here are the errors

:exception=>#<LogStash::Json::ParserError: Unexpected end-of-input within/between Object entries

Thank you very much!

system · August 16, 2022, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.