Parse log where is json and grok


(Marek Pastier) #1

Hello team. I would like ask for help.
I have log file with next records.

Mar 12 07:04:07 HATAVSM002 ERAServer[3720] <U+FEFF>{"event_type":"Threat_Event","ipv4":"10.1.3.115","hostname":"test.sebb.com","source_uuid":"7290a94d-6e8e-45b2-8a82-68bb5c03622f","occured":"12-Mar-2018 07:03:10","severity":"Warning","threat_type":"test file","threat_name":"Eicar","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"17041 (20180312)","object_type":"file","object_uri":"file:///C:/Users/test/Downloads/51916f41-bb85-4dac-a14b-a37712d0e7f9.tmp/eicar.com","action_taken":"deleted","threat_handled":true,"need_restart":false,"username":"SEBB\\test","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred on a modified file.","hash":"B68913E1F10A52F3A8F0EDE635D1EA29D40AA2D7"}

This record is combinate json and grok. I don't know parse this record.
I used many combination but not success.

My filter

filter {
grok {
match => [ "message", "%{DATESTAMP} %{GREEDYDATA:message}" ]
}

 mutate {
    gsub => [ "message", "[\\.]", "" ]
}

json{
    source => "message"
    }

}


(Magnus B├Ąck) #2

You're on the right track but if you want the grok filter to be able to overwrite the message field you need to set the filter's overwrite option. Also, the mutate filter shouldn't be necessary if the grok filter is done right.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.