Hi all again,
I know this topic has been discussed in tha past, but I am a newbie in this world and could not be able to apply to my case the solutions provided in the old discussions.
I have to parse a log like this:
> Sep 22 15:08:11 host04 PWM {"sourceAddress":"10.10.10.5","sourceHost":"10.10.10.5","type":"USER","eventCode":"TOKEN_ISSUED","guid":"3792e530-c41a-4d49-8ac0-d516c9","timestamp":"2017-09-22T13:08:11Z","message":"{\"date\":\"2017-09-22T13:08:11Z\",\"name\":\"NEWUSER_EMAIL\",\"data\":**{\"_______profileID\":\"WRT\",\"CompanyexternalCountry\":\"cn=AGO,ou=countries,ou=mapping,o=xxx\",\"CompanyexternalBrand\":\"cn=Company,ou=brands,ou=mapping,o=xxx\",\"telephoneNumber\":\"\",\"mail\":\"username@nomail.com\",\"CompanyexternalNote\":\"\",\"givenName\":\"john\",\"CompanyexternalCompany\":\"nosocieta\",\"sn\":\"doe\",\"cn\":\"JOHN DOE\",\"Companyexternalvatnumber\":\"34565432\",\"password1\":\"H4sIAAAAAAAAAAFCAL3_UFdDMjU23suete7Z1gFDva07-7WHvegvewZfvVC2DCEsVew4kAIHzQI9-AebILK9uY0un0E1OQlgAEIAAAA=\"}**,\"dest\":[[truncated]","narrative":"A token has been issued","xdasTaxonomy":"XDAS_AE_SET_CRED_ACCOUNT","xdasOutcome":"XDAS_OUT_PRIV_GRANTED"}
The problem is what is after the word "data": i am not capable of mapping and parsing that message inside the {}...
in my logstash.conf I tried to put:
filter {
if [type] =="syslog" {
grok {
match =>[ "message", "%{CISCOTIMESTAMP:timestamp} %{HOSTNAME:Hostname} %{WORD:Application} %{GREEDYDATA:request1}" ]
}
json{
source => "request1"
target => "WRTuser"
remove_field=>["request1"]
}
json {
source => "WRTuser.message"
target => "data"
}
}
}
(2 json filters one after another)
I was able to parse all the fields outside the inner message, but nothing inside those {}.
Anyone have an idea to suggest?
thanks a lot