Hello all,
First of all I'm running version 7.10.2 on a docker.
I have some cloudtrail logs stored as .gz that I'm reading and after parsing I'm renaming the Records fields and build the different nested fields. When I try to see them in Kibana it is not under the root field.
Logstash config:
input {
file {
path => "/tmp/*.gz"
mode => "read"
sincedb_path => "/dev/null"
}
}
filter {
json {
source => "message"
}
split {
field => "Records"
}
date {
match => ["[Records][eventTime]", "ISO8601"]
target => "@timestamp"
remove_field => ["message", "host", "path"]
}
mutate {
rename => {"[Records][requestID]" => "requestID"}
rename => {"[Records][eventVersion]" => "eventVersion"}
rename => {"[Records][sharedEventID]" => "sharedEventID"}
rename => {"[Records][eventSource]" => "eventSource"}
rename => {"[Records][eventTime]" => "eventTime"}
rename => {"[Records][eventID]" => "eventID"}
rename => {"[Records][userIdentity]" => "userIdentity"}
rename => {"[Records][awsRegion]" => "awsRegion"}
rename => {"[Records][resources]" => "resources"}
rename => {"[Records][eventType]" => "eventType"}
rename => {"[Records][responseElements]" => "responseElements"}
rename => {"[Records][assumedRoleUser]" => "assumedRoleUser"}
rename => {"[Records][sourceIPAddress]" => "sourceIPAddress"}
rename => {"[Records][eventName]" => "eventName"}
rename => {"[Records][userAgent]" => "userAgent"}
rename => {"[Records][recipientAccountId]" => "recipientAccountId"}
rename => {"[Records][requestParameters]" => "requestParameters"}
rename => {"[Records][readOnly]" => "readOnly"}
rename => {"[Records][additionalEventData]" => "additionalEventData"}
rename => {"[Records][apiVersion]" => "apiVersion"}
rename => {"[Records][errorCode]" => "errorCode"}
rename => {"[Records][errorMessage]" => "errorMessage"}
rename => {"[Records][managementEvent]" => "managementEvent"}
rename => {"[Records][vpcEndpointId]" => "vpcEndpointId"}
}
}
}
output {
# stdout { codec => rubydebug }
elasticsearch {
hosts => 'http://localhost:9200'
index => 'cloudtrail-2022'
}
}
I know that after doing this fields like userIdentity are nested fields. I tried forcing the mapping but still didn't work:
{
"properties": {
"userIdentity": {
"type": "nested",
"properties" : {
"accessKeyId" : {"type" : "keyword" },
"accountId" : { "type" : "keyword"},
"arn" : { "type" : "keyword"},
"identityProvider" : { "type" : "keyword"},
"invokedBy" : { "type" : "keyword"},
"principalId" : { "type" : "keyword"},
"type" : { "type" : "keyword"},
"userName" : { "type" : "keyword"},
"sessionContext" : {
"type" : "nested",
"properties" : {
"attributes" : {
"type" : "nested",
"properties" : {
"mfaAuthenticated" : { "type" : "keyword"}
}
},
"sessionIssuer" : {
"type" : "nested",
"properties" : {
"accountId" : { "type" : "keyword"},
"arn" : { "type" : "keyword"},
"principalId" : { "type" : "keyword"},
"type" : { "type" : "keyword"},
"userName" : { "type" : "keyword"}
}
}
}
}
}
}
}
}
Below you have the kibana screenshot.
I would like to have some guidance on this.
Thanks in advance for your help.
Best Regards.
Pedro Cabral