Logstash JSON GROK Parsing


(Kenny H) #1

I am new to Logstash and Grok with Non Developer background. Can anyone help me with GROK parsing for below.

{
"source": "logs",
"id": "9ab3ce4e-fff7-11e8-be78-06da4fe50a90",
"recorded": "2018-14-12T23:25:55.228Z",
"actors": [
{
"type": "user",
"name": "abc123456"
}
],
"resources": ,
"result": {
"status": "POLICY",
"message": "Authentication Details:\nIP Address: 208.66.218.169\nCountry: US\nNew Device: false\nRequested Application ID: d4c6830e-af0b-48a6-b846-d28ffc54d4a3\nRequested Application Name: N/A\nPassword Reset: false\nSelf Service Device Management: false\nTime since last Authentication: In the last 17 minutes\nTime since last Authentication from Office: N/A\nMobile OS Version: iOS 12.1\nDevice Model: iPhone X\nDevice Lock Enabled: true\nDevice Rooted or Jailbroken: false\nDevice enrolled in MDM: false\nPingID App Version: 1.8.5\nAction: Fingerprint (with fallback)\nPolicy Met: Default Policy\nRule Met: "Default Action"\n"
}
}

AND

{
"source": "TOKEN",
"id": "9bc4efce-fff7-11e8-be9e-02743401c720",
"recorded": "2018-14-12T23:25:57.018Z",
"action": {
"type": "SSO_IDP"
},
"actors": [
{
"type": "user",
"name": "ABC12345"
},
{
"type": "user.service",
"name": "ABC12345"
}
],
"resources": [
{
"id": "571f1bbc-52f8-4ca7-b80b-1e30240e7feb",
"type": "IDP",
"name": "SK",
"idpEntityId": "SK"
},
{
"id": "076a52e5-9d71-4e92-8580-b4908051c6d3",
"type": "SP",
"name": "customer1"
},
{
"id": "79685301-1e21-4f20-97c5-72a9ae5b92be",
"type": "CONNECTION",
"name": "customer"
}
],
"client": {
"id": "Mozilla/5.0_(Macintosh;_Intel_Mac_OS_X_10_14_2)AppleWebKit/537.36(KHTML,_like_Gecko)_Chrome/71.0.3578.98_Safari/537.36",
"ipAddress": "208.66.218.169"
},
"result": {
"status": "SUCCESS",
"message": "success"
}
}


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.