Unable to change timestamp and parse entry to date


(safaa) #1

Could anybody please help me changing the timestamp and parsing the StartTime entry to date .
I consume that logstash ignore the date filter and keeps the default timestamp value.

This is my config file:

input {
  file {
path => "/root/file.xml"
sincedb_path => "/dev/null"
start_position => "beginning"
codec => multiline {
pattern => "^<\?ScanGroup .*\>"
negate => "true"
max_lines => 100000000000
max_bytes => "50000000000 MiB"
what => "previous"
}
tags => "acu-test"
type => "acu-test"
  }
}

filter {

if [type] == "acu-test" {

    xml{

       source =>"message"
       target => "log4"
    }

    ruby{

       code => 
               '    
               event.set("ReportItem", event.get("[log4][Scan][0][ReportItems][0][ReportItem]"))


               for value1 in event.get("[ReportItem]")

                   generated = LogStash::Event.new

                   generated.set("App_Name", "Labs")
                   generated.set("Scan_Name", event.get("[log4][Scan][0][Name]"))

                   generated.set("Scan_Name", event.get("[log4][Scan][0][Name]"))
                   generated.set("StartURL", event.get("[log4][Scan][0][StartURL]"))
                   generated.set("StartTime", event.get("[log4][Scan][0][StartTime]"))
                   generated.set("FinishTime", event.get("[log4][Scan][0][FinishTime]"))
                   generated.set("ScanTime", event.get("[log4][Scan][0][ScanTime]"))
                   generated.set("Aborted", event.get("[log4][Scan][0][Aborted]"))
                   generated.set("Responsive", event.get("[log4][Scan][0][Responsive]"))
                   generated.set("Os", event.get("[log4][Scan][0][Os]"))
                   generated.set("WebServer", event.get("[log4][Scan][0][WebServer]"))



                   for value2 in value1["TechnicalDetails"]
                       generated.set("TechnicalDetails", value2)
                   end

                 
                    for value2 in value1["CVSS"]
                       generated.set("CVSS", value2)
                   end

                   new_event_block.call(generated)
 

               end
               '
         }
	mutate {
           gsub => [
           # replace all forward slashes with underscore
           "StartTime", "/", "-",
	             "StartTime", ",", ""
           ]
 
    }

     date {
        match => [ "StartTime", "dd-MM-yyyy HH:mm:ss" ]	

          }
 

    mutate {
       remove_field => ["parsed", "message", "log4"]
    }
}
}

output {
    
   if "_rubyexception" not in [tags]{ 
    elasticsearch {
        hosts => ["localhost:9200"]
        index => "logstash-test"

     }
    stdout { codec => rubydebug }}

}

I add a part of debug result :

           "Description" => [
        [0] "When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache."
    ],
             "StartTime" => [
        [0] "28-09-2018 19:49:30"
    ],
               "Aborted" => [
        [0] "False"
    ],
              "@version" => "1",
              "App_Name" => "Application",
             "WebServer" => [
        [0] "Apache 2.x"
    ],
            "FinishTime" => [
        [0] "29/09/2018, 10:39:28"
    ],
          "Technologies" => [
        [0] "\n            \n                \n                PHP\n                \n            \n        "
    ],
                  "tags" => [
        [0] "_dateparsefailure"
    ],
               "Affects" => [
        [0] "/mytravel"
    ],
             "Scan_Name" => [
        [0] "scan_name"
    ],
    "Type-vulnerability" => [
        [0] "informationdisclosure"
    ],
              "ScanTime" => [
        [0] "889 minutes, 55 seconds"
    ],
            "@timestamp" => 2018-11-28T11:20:33.729Z,
      "TechnicalDetails" => {
        "Request" => [
            [0]
        ]
    },
              "StartURL" => [
        [0] "www.application.com"
    ],
            "Responsive" => [
        [0] "True"
    ],
    "Vulnerability_Name" => [
        [0] "Multiples vulnérabilités dans S/MIME et OpenPGP"
    ],
            "ModuleName" => [
        [0] "Crawler"
    ],
              "Severity" => [
        [0] "informational"
    ],
                "Impact" => [
        [0] "DOS DDos."
    ],
                    "Os" => [
        [0] "Win7"
    ],
        "Recommendation" => [
        [0] " <br/>To disable auto-complete, you may use a code similar to: <pre><code>&lt;INPUT TYPE=&quot;password&quot; AUTOCOMPLETE=&quot;off&quot;&gt;</code></pre>"
    ],
                  "CVSS" => {
                 "I" => [
            [0] "None"
        ],
                "AV" => [
            [0] "Network_Accessible"
        ],
                "AC" => [
            [0] "Low"
        ],
                "Au" => [
            [0] "None"
        ],
             "Score" => [
            [0] "0.0"
        ],
                 "C" => [
            [0] "None"
        ],
                 "A" => [
            [0] "None"
        ],
        "Descriptor" => [
            [0] "AV:N/AC:L/Au:N/C:N/I:N/A:N"
        ]
    }
}

Thank you for your help.


(Guy Boertje) #2

It looks like all of your values are not plain strings but a single element array of string.

Try
match => [ "[StartTime][0]", "dd-MM-yyyy HH:mm:ss" ] in the date filter.


(safaa) #3

Thank you so much , it works :slight_smile: