Need help removing square brackets from field name in JSON input

This is a sample of the log that's causing parse error -

{
  "output": "11:08:30.411631274: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat \/etc\/shadow file=\/etc\/shadow parent=bash gparent=<NA> ggparent=<NA> gggparent=<NA>)",
  "priority": "Warning",
  "rule": "Read sensitive file untrusted",
  "time": "2019-05-23T05:38:30.411631274Z",
  "output_fields": {
    "evt.time": 1.5585899104116e+18,
    "fd.name": "\/etc\/shadow",
    "proc.aname[2]": null,
    "proc.aname[3]": null,
    "proc.aname[4]": null,
    "proc.cmdline": "cat \/etc\/shadow",
    "proc.name": "cat",
    "proc.pname": "bash",
    "user.name": "root"
  }
}

I need help to rename the proc.aname fields that contain square brackets to something else, or remove the fields entirely.

That is an interesting variant of this issue. And it is annoying because it cause logstash to crash.

mutate { gsub => [ "message", "\[([0-9]+)\]", "\1" ] }

might help.

1 Like

Hi Badger thanks, this changes the logstash output for sure, but doesn't help with the problem of ParseError. This is what I get -

[ERROR] 2019-05-24 09:35:51.992 [[main]<file] json - JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Invalid FieldReference: `proc.aname[2]`>, :data=>"{\"output\":\"09:35:51.712772955: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat /etc/shadow file=/etc/shadow parent=sudo gparent=bash ggparent=sshd gggparent=sshd)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"time\":\"2019-05-24T04:05:51.712772955Z\", \"output_fields\": {\"evt.time\":1558670751712772955,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"bash\",\"proc.aname[3]\":\"sshd\",\"proc.aname[4]\":\"sshd\",\"proc.cmdline\":\"cat /etc/shadow\",\"proc.name\":\"cat\",\"proc.pname\":\"sudo\",\"user.name\":\"root\"}}"}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "host",
    "@timestamp" => 2019-05-24T04:05:51.995Z,
          "path" => "/var/log/sample.log",
       "message" => "{\"output\":\"09:35:51.712772955: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat /etc/shadow file=/etc/shadow parent=sudo gparent=bash ggparent=sshd gggparent=sshd)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"time\":\"2019-05-24T04:05:51.712772955Z\", \"output_fields\": {\"evt.time\":1558670751712772955,\"fd.name\":\"/etc/shadow\",\"proc.aname2\":\"bash\",\"proc.aname3\":\"sshd\",\"proc.aname4\":\"sshd\",\"proc.cmdline\":\"cat /etc/shadow\",\"proc.name\":\"cat\",\"proc.pname\":\"sudo\",\"user.name\":\"root\"}}",
      "@version" => "1"
}

Does anyone know how to get past this input error?

Move the mutate so that it is before the json filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.