Need help removing square brackets from field name in JSON input

devdua · May 23, 2019, 6:13am

This is a sample of the log that's causing parse error -

{
  "output": "11:08:30.411631274: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat \/etc\/shadow file=\/etc\/shadow parent=bash gparent=<NA> ggparent=<NA> gggparent=<NA>)",
  "priority": "Warning",
  "rule": "Read sensitive file untrusted",
  "time": "2019-05-23T05:38:30.411631274Z",
  "output_fields": {
    "evt.time": 1.5585899104116e+18,
    "fd.name": "\/etc\/shadow",
    "proc.aname[2]": null,
    "proc.aname[3]": null,
    "proc.aname[4]": null,
    "proc.cmdline": "cat \/etc\/shadow",
    "proc.name": "cat",
    "proc.pname": "bash",
    "user.name": "root"
  }
}

I need help to rename the proc.aname fields that contain square brackets to something else, or remove the fields entirely.

Badger · May 23, 2019, 3:16pm

That is an interesting variant of this issue. And it is annoying because it cause logstash to crash.

mutate { gsub => [ "message", "\[([0-9]+)\]", "\1" ] }

might help.

devdua · May 24, 2019, 4:08am

Hi Badger thanks, this changes the logstash output for sure, but doesn't help with the problem of ParseError. This is what I get -

[ERROR] 2019-05-24 09:35:51.992 [[main]<file] json - JSON parse error, original data now in message field {:error=>#<LogStash::Json::ParserError: Invalid FieldReference: `proc.aname[2]`>, :data=>"{\"output\":\"09:35:51.712772955: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat /etc/shadow file=/etc/shadow parent=sudo gparent=bash ggparent=sshd gggparent=sshd)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"time\":\"2019-05-24T04:05:51.712772955Z\", \"output_fields\": {\"evt.time\":1558670751712772955,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"bash\",\"proc.aname[3]\":\"sshd\",\"proc.aname[4]\":\"sshd\",\"proc.cmdline\":\"cat /etc/shadow\",\"proc.name\":\"cat\",\"proc.pname\":\"sudo\",\"user.name\":\"root\"}}"}
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
          "tags" => [
        [0] "_jsonparsefailure"
    ],
          "host" => "host",
    "@timestamp" => 2019-05-24T04:05:51.995Z,
          "path" => "/var/log/sample.log",
       "message" => "{\"output\":\"09:35:51.712772955: Warning Sensitive file opened for reading by non-trusted program (user=root program=cat command=cat /etc/shadow file=/etc/shadow parent=sudo gparent=bash ggparent=sshd gggparent=sshd)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"time\":\"2019-05-24T04:05:51.712772955Z\", \"output_fields\": {\"evt.time\":1558670751712772955,\"fd.name\":\"/etc/shadow\",\"proc.aname2\":\"bash\",\"proc.aname3\":\"sshd\",\"proc.aname4\":\"sshd\",\"proc.cmdline\":\"cat /etc/shadow\",\"proc.name\":\"cat\",\"proc.pname\":\"sudo\",\"user.name\":\"root\"}}",
      "@version" => "1"
}

Does anyone know how to get past this input error?

Badger · May 24, 2019, 1:35pm

Move the mutate so that it is before the json filter.

system · June 21, 2019, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.