JSON parse error - Suricata

Hello Team,

I mounted my lab with suricata and web servers. I tried send log suricata to ELK. But I received error when i did the parse

My conf:

input {
udp {
port => "514"
type => "syslog"
}
}

filter {
json {
source => "message"
}
}

output {
stdout {}
}

But I received this error:

[2020-09-17T11:42:25,613][WARN ][logstash.filters.json ][main][c3ae95835f9d11e27a9b4e7c14651433b6767ca87df67a270462822942fd6c02] Error parsing json {:source=>"message", :raw=>"<13>Sep 16 18:07:59 proapps-security suricata-halfling: {"timestamp":"2020-09-17T11:42:04.985994-0300","flow_id":738087809626408,"in_iface":"ix1","event_type":"alert","src_ip":"99.125.125.125","src_port":9999,"dest_ip":"192.168.0.1","dest_port":389,"proto":"UDP","alert":{"action":"allowed","gid":1,"signature_id":2016150,"rev":2,"signature":"ET INFO Session Traversal Utilities for NAT (STUN Binding Response)","category":"Attempted User Privilege Gain","severity":1,"metadata":{"updated_at":["2013_01_04"],"created_at":["2013_01_04"]}},"app_proto":"failed","flow":{"pkts_toserver":5,"pkts_toclient":0,"bytes_toserver":569,"bytes_toclient":0,"start":"2020-09-17T11:41:56.110888-0300"}}\n", :exception=>#<LogStash::Json::ParserError: Unexpected character ('<' (code 60)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')
at [Source: (byte)"

Please can you help me ?

You need to parse the JSON out of the syslog message before trying to use a json filter. Something like

dissect { mapping => { "message" => "<%{syslog_pri}>%{timestamp} %{+timestamp} %{+timestamp} %{} %{}: %{jsonMessage}" } }
json { source => "jsonMessage" }

Thanks !

I will do this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.