Hi, I have the below log after using the JSON filter. I need to take all the fields out of the JSON field "log". For example: instead of all the fields like log.user or log.allow, I need just user or allow. I need to take all the fields out of the JSON "log".
"version": 2,
"timestamp": "2020-05-17T22:52:18.615Z",
"hostname": "fdhgsdsfh.dhfdh.com",
"daemon": "cz-dhdh",
"log": {
"action": "allow",
"action_id": "c7bfa620-4bc2-3375-86ec-cf456be80672",
"client_port": 4995,
"connection_type": "established",
"destination_port": 3389,
"direction": "up",
"ou": "ddf",
"user": "ddhd.s",
"event_type": "ip_access",
"geoip": {
"ip": "89.x.xx.x",
"time_zone": "Asia/Qatar",
"continent_code": "AS",
"city_name": "Doha",
"country_name": "Qatar",
"country_code2": "QA",
"country_code3": "QA",
"region_code": "DA",
"location": {
"lon": 51.51,
"lat": 25.29
},
"latitude": 25.25,
"longitude": 51.531,
"cordinates": [
51.51,
25.29
]
},
"packet_size": 40,
"protocol": "TCP",
"rule_name": "AX-Server-RDP-0",
"source_ip": "192.168.100.9",
"source_port": 50901,
"timestamp": "2020-05-17T22:52:18.615Z",
"version": 12
}
I am using the below config:
filter {
json {
source => "message"
}
}