I use this Logstash filter below to parse Cisco ESA logs
filter {
if "cef" in [tags] {
mutate {
# CEF:0 is pipe delimited, split into individual fields
split => ["cef_message", "|"]
add_field => { "cef_version" => "%{cef_message[0]}" }
add_field => { "cef_device_vendor" => "%{cef_message[1]}" }
add_field => { "cef_device_product" => "%{cef_message[2]}" }
add_field => { "cef_device_version" => "%{cef_message[3]}" }
add_field => { "cef_sig_severity" => "%{cef_message[6]}" }
add_field => { "cef_kv_message" => "%{cef_message[7]}" }
}
mutate {
gsub => ["cef_kv_message", "(\S+=)", ", \1"]
}
mutate {
gsub => [ "cef_kv_message", "'",'"' ]
}
kv {
source => "cef_kv_message"
trim_value => " "
trim_key => " "
value_split => "="
field_split => ","
remove_field => ["cef_kv_message", "message", "cef_message"]
}
}
}
In some logs there are fields in json format, like SPFVerdict or AttachmentDetails, for the AttachementDetails, I want extract for each, the file name , the hash and the size
Below an exemple :
{
"type": "syslog",
"device_product": "C190 Email Security Appliance",
"AMPVerdict": "UNKNOWN",
"AttachmentDetails": "{\"image.png\": {\"AMP\": {\"Verdict\": [\"FILE UNKNOWN\", \"FILE UNKNOWN\", \"FILE UNKNOWN\", \"FILE UNKNOWN\", \"FILE UNKNOWN\"], \"fileHash\": [\"cfb8d81191be809c15ff909da67a8645f234c8659907b7983ea81\", \"99aec7300ba8816c3ff56db24b6ca9b177fb8d9ed31846a8912d\"]}, \"BodyScanner\": {}}}",
"@timestamp": "2024-03-10T10:15:15.000Z",
"dvc": "192.168....",
"event_severity": "5",
"host": "localhost",
"CFVerdict": "NO_MATCH",
"event_class_id": "ESA_CONSOLIDATED_LOG_EVENT",
"@version": "1",
"SPFVerdict": "{\"mailfrom\": {\"result\": \"Pass\", \"sender\": \"bounce@mailing.sender.localhost\"}}",
"AVVerdict": "NEGATIVE",
"event_name": "Consolidated Log Event"
}
Any idea to parse this fields please ?
Thanks