Parsing JSON array inside

Hi,
I've got a json with an array inside. Based on another thread I've tried something with ruby to change the key names but it doesn't work.

  "messages": [
    {
      "message": "XSS Attack Detected via libinjection",
      "details": {
        "data": "Matched Data: XSS data found within ARGS_NAMES: <?xml version",
        "lineNumber": "37",
        "file": "/usr/local/openresty/nginx/conf/crs/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf",
        "reference": "v257,13t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls",
        "tags": [
          "application-multi",
          "OWASP_AppSensor/IE1",
          "CAPEC-242"
        ],
        "ruleId": "941100",
        "ver": "OWASP_CRS/3.2.0",
        "severity": "2",
        "rev": "",
        "match": "detected XSS using libinjection.",
        "accuracy": "0",
        "maturity": "0"
      }
    },
    {
      "message": "Inbound Anomaly Score Exceeded (Total Score: 5)",
      "details": {
        "data": "",
        "lineNumber": "80",
        "file": "/usr/local/openresty/nginx/conf/crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf",
        "tags": [
          "application-multi",
          "attack-generic"
        ],
        "reference": "",
        "ruleId": "949110",
        "ver": "OWASP_CRS/3.2.0",
        "severity": "2",
        "rev": "",
        "match": "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' )",
        "accuracy": "0",
        "maturity": "0"
      }
    }
  ],
  "user_agent": {
    "original": "MauiBot (crawler.feedback+wc@gmail.com)",
    "os_name": "Other",
    "device": "Spider",
    "os": "Other",
    "build": "",
    "name": "MauiBot"
  },
  "destination": {
    "ip": "127.0.0.1",
    "port": 80
  }

I'd like to differentiate [messages][message] so I've used this code but it doesn't work:

filter {
  if ([messages][message][0]) {
    ruby {
      code => '
        c = event.get("messages")
        if c
        c.each_index { |x|
          event.set("message-#{x}", c[x]["message"])
        }
        end
      '
    }
    mutate {
      add_field => {
        "modsec_message" => "%{[messages][message][0]}"
      }
    }
  }
}

Replace both occurrences of this with [messages][0][message]

thanks it works!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.