Bonjour !
Le contexte :
J'importe actuellement un log de rapport CSP dans Elasticseach. Je cherche à splitter le domaine de l'url (URI)
Voici un exemple de JSON importé :
{"csp-report":{
"blocked-uri":"self",
"document-uri":"https://env.application.fr/toto",
"line-number":762,
"original-policy":"default-src 'none'; connect-src https://env.application.fr:443; font-src https://env.application.fr:443; img-src https://env.application.fr:443; script-src https://env.application.fr:443 'unsafe-inline'; style-src https://env.application.fr:443 'unsafe-inline'; report-uri https://appli/csp-cisirh.php",
"referrer":"https://env.application.fr/toto",
"script-sample":"call to eval() or related function blocked by CSP","source-file":"https://env.application.fr/js/a2d8d78.js",
"violated-directive":"script-src https://env.application.fr:443 'unsafe-inline'"
}
}
L'import se passe bien, j'extrais ensuite la valeur document-uri dans une variable uri (mutate add_fied uri):
filter {
### STATISTIQUES RAPPORT CSP
if "CSP" in [tags] {
### Parsing JSON
json{ source => "message"}
mutate { add_field => { "uri" => "%{[csp-report][document-uri]}" } }
grok{
patterns_dir => ["/produit/logstash/patterns"]
match => { "uri" => "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?"}
}
}
}
J'essaie ensuite de parser ce champs uri avec les motifs %{URI}
ou %{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?
, un motif personnalisé etc..
Et je n'obtiens que des _grokparsefailure, pourtant les motifs URI* sont bien chargées au démarrage de logstash..
[2017-10-31T17:46:16,328][DEBUG][logstash.pipeline ]
output received {"event"=>{"offset"=>2904,
"source"=>"/exploit/httpd-piwik/logs/csp-reports.log", "program"=>"httpd", "message"=>"{\"csp-report\":{\"blocked-uri\":\"self\",\"document-uri\":\"https://env.application.fr/agent/927/import-crep-papier\",
\"line-number\":762,\"original-policy\":\"default-src none; connect-src https://env.application.fr:443; font-src https://env.application.fr:443; img-src https://env.application.fr:443; script-src https://env.application.fr:443 unsafe-inline; style-src https://env.application.fr:443 unsafe-inline; report-uri https://serveur-csp.frcsp-cisirh.php\",
\"referrer\":\"https://env.application.fr/agent/927/import-crep-papier\",
\"script-sample\":\"call to eval() or related function blocked by CSP\",
\"source-file\":\"https://env.application.fr/js/a2d8d78.js\",
\"violated-directive\":\"script-src https://env.application.fr:443 unsafe-inline\"}}",
"type"=>"applicatif",
"csp-report"=>{"referrer"=>"https://env.application.fr/agent/927/import-crep-papier",
"script-sample"=>"call to eval() or related function blocked by CSP",
"original-policy"=>"default-src none; connect-src https://env.application.fr:443; font-src https://env.application.fr:443; img-src https://env.application.fr:443; script-src https://env.application.fr:443 unsafe-inline; style-src https://env.application.fr:443 unsafe-inline; report-uri https://serveur-csp.fr.php",
"source-file"=>"https://env.application.fr/js/a2d8d78.js",
"violated-directive"=>"script-src https://env.application.fr:443 unsafe-inline",
"document-uri"=>"https://env.application.fr/agent/927/import-crep-papier",
"line-number"=>762,
"blocked-uri"=>"self"},
uri"=>"https://env.application.fr/agent/927/import-crep-papier",
"tags"=>["json", "CSP", "_grokparsefailure"],
"@timestamp"=>2017-10-31T16:46:15.063Z, "@version"=>"1",
"beat"=>{"name"=>"hostname", "hostname"=>"hostname", "version"=>"5.6.1"},
"host"=>"hostname",
"fields"=>{"type"=>"CSP", "environment"=>"PRODJ"}}}
Merci pour votre aidre, j'y perds mon GROK !
David
EDIT : ajout de retour-chariots pour la lecture du JSON..