JSON filter, query

runtman · November 16, 2017, 10:31am

Hello, I am receiving alerts from SOPHOS in clear JSON, below is an example:

{"end": "2017-11-15T21:35:18.000Z", "customer_id": "x", "endpoint_type": "computer", "dhost": "x", "type": "Event::Endpoint::WebControlViolation", "name": "'https://static.site24x7rum.com' warned due to category 'Alcohol & Tobacco'", "rt": "2017-11-15T21:35:21.942Z", "severity": "low", "duid": "5771219d2fa3360f8915b74f", "suser": "x", "group": "x", "id": "x", "whitelist_properties": {}, "endpoint_id": "x"}

Reading up I should be able to use the JSON filter, I am using the following:

filter {
  if [type] == "sophos.logs" {
    json {
      source => "message"
    }
  }
}

However when this goes into kibana, nothing is filtered. The entire message is a single field, is this to be expected?

Christian_Dahlqvist · November 16, 2017, 10:40am

Is this what the type field is set to on the events that does not get parsed correctly?

runtman · November 16, 2017, 10:43am

Yes,

t fields.log_type sophos.logs

Filebeat config for more clarity:

- input_type: log
  paths:
    - /root/repos/Sophos-Central-SIEM-Integration/log/result.txt
  fields:
    source: syslog-server
    log_type: sophos.logs
    environment: x
  tags: ['sophos-logs']

Christian_Dahlqvist · November 16, 2017, 10:45am

Can you show what an event looks like once it is in Kibana (please cut and paste)?

runtman · November 16, 2017, 10:46am

The white parts are just text that I don't want to share

Edit:
Is it because for raw data is being escaped (Not sure why)

"message": "{\"suser\": \"x", \"endpoint_type\": \"computer\", \"id\": \"x\", \"severity\": \"low\", \"dhost\": \"x\", \"customer_id\": \"x\", \"rt\": \"2017-11-16T10:30:49.666Z\", \"whitelist_properties\": {}, \"duid\": \"5x\", \"endpoint_id\": \"x\", \"name\": \"User trusted low reputation download from x\", \"group\": \"DOWNLOAD_REPUTATION\", \"end\": \"2017-11-16T10:30:49.666Z\", \"type\": \"Event::Endpoint::DownloadReputationUserAuthorised\"}",

magnusbaeck · November 16, 2017, 12:02pm

type is set to "log" in your case so your conditional is wrong. It's [fields][log_type] that you're setting to "sophos.logs" so you either have to change your conditional or rename the field. Perhaps you should consider setting Filebeat's fields_under_root option to true.

runtman · November 16, 2017, 12:16pm

Oh my, no idea how I didn't spot that. I will re-test, thanks.

runtman · November 16, 2017, 12:29pm

What a moron, thank you so much.

system · December 14, 2017, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.