Removing special characters

JeremyP · July 15, 2022, 8:04pm

Hello,

I have some special characters in one of my fields which I'm having issues removing. They may be reserved characters so my logstash instance is failing. Here is the event in question...

"proof" => [
            [0] "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/0edef2ae5c6fc053ca616bd84b6bfe81e39ebdc071ca44c9c29c378112693860/diff/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
            [1] "\"Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/c2877f2cdbd6d80bcafb50907a452a74eefa6e95a34de050908632c0079c0b3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered.\"",
            [2] "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/9e668265b4cc434f8aa963a773a06c0662323ec76bdd91bf012b4db643298d3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
            [3] "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/04b58f14d8ef5bab515849cb8ac65fd4843915ef905a3fadd97268a5dfd8b79a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
            [4] "\"Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/b2efd746948b7132e32c25d9812d7ed46d27ca6ed4a98835386628d838c16e5b/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered.\"",
            [5] "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/3fca162b169ea32445c5a3e1f554891025dc1c24f9f9bf30ddc4af95a0670194/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\""
        ],

My config (currently)

  mutate {
    gsub => [
      "proof", "[{}]", "",
    split => { "proof" => "," }
  }
  mutate { strip => [ "proof" ] }

In my output I have extra " and \ from the original data which was one message. I'm attempting to remove the special characters and performing a split on the event to create an array. So far the array works fine, I'm just left with additional characters so I need to clean up the data. Every time I attempt to add those characters to the gsub I get an error exception=>#<RegexpError: premature end of char-class: /[\]/>

Any assistance is appreciated!

Thank you.

Badger · July 15, 2022, 9:26pm

What characters do you want to remove?

JeremyP · July 16, 2022, 12:40am

Hi Badger

The backslashes and extra double quotes.

Badger · July 16, 2022, 12:45am

There are no backslashes in your message. The rubydebug format inserts a backslash to escape the double quote.

split { field => "proof" }
mutate { gsub => [ "proof", '"', "" ] }

JeremyP · July 18, 2022, 2:18pm

I think there is a backslash. I gave you the Ruby Debug output but here is the JSON data in the Elastic document when I do a _doc query.

"proof" : [
        "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/0edef2ae5c6fc053ca616bd84b6bfe81e39ebdc071ca44c9c29c378112693860/diff/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
        "\"Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/c2877f2cdbd6d80bcafb50907a452a74eefa6e95a34de050908632c0079c0b3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered.\"",
        "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/9e668265b4cc434f8aa963a773a06c0662323ec76bdd91bf012b4db643298d3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
        "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/04b58f14d8ef5bab515849cb8ac65fd4843915ef905a3fadd97268a5dfd8b79a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\"",
        "\"Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/b2efd746948b7132e32c25d9812d7ed46d27ca6ed4a98835386628d838c16e5b/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered.\"",
        "\"Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/3fca162b169ea32445c5a3e1f554891025dc1c24f9f9bf30ddc4af95a0670194/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.\""
      ]

Badger · July 18, 2022, 3:17pm

I still do not think there is a backslash in your field, but you can try

mutate { gsub => [ "proof", '"', "", "proof", "[\\]", "" ] }

JeremyP · July 18, 2022, 4:40pm

That did the trick. Thank you Badger.

"proof" : [
        "Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/0edef2ae5c6fc053ca616bd84b6bfe81e39ebdc071ca44c9c29c378112693860/diff/usr/share/elasticsearch/lib/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.",
        "Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/b2efd746948b7132e32c25d9812d7ed46d27ca6ed4a98835386628d838c16e5b/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered.",
        "Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/04b58f14d8ef5bab515849cb8ac65fd4843915ef905a3fadd97268a5dfd8b79a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.",
        "Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/9e668265b4cc434f8aa963a773a06c0662323ec76bdd91bf012b4db643298d3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.",
        "Vulnerable software installed: Apache Log4j Core 2.11.1 (/var/lib/docker/overlay2/3fca162b169ea32445c5a3e1f554891025dc1c24f9f9bf30ddc4af95a0670194/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.11.1.jar)No mitigation applied. JndiLookup class discovered.",
        "Vulnerable software installed: Apache Log4j Core 2.14.0 (/var/lib/docker/overlay2/c2877f2cdbd6d80bcafb50907a452a74eefa6e95a34de050908632c0079c0b3a/diff/usr/share/logstash/logstash-core/lib/jars/log4j-core-2.14.0.jar)No mitigation applied. JndiLookup class discovered."
      ],

  mutate {
    gsub => [
      "proof", '"', "", "proof", "[\\]", "", "proof", "[{}]", "" ]
    split => { "proof" => "," }
  }

system · August 15, 2022, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issues with special characters in docker env Logstash	3	475	September 29, 2020
Event API ; event.remove() does not work on key with special character ? encoding problem? Logstash	1	606	December 17, 2018
How to use logstash to collect docker logs cleanly Logstash	7	539	April 25, 2021
Special characters in data preventing CSV import using logstash 6.6.2 Logstash	5	2866	April 17, 2019
Remove special characters in a filed value Logstash	3	2234	December 26, 2017

Removing special characters

Related Topics