Could anybody please help me changing the timestamp and parsing the StartTime entry to date .
I consume that logstash ignore the date filter and keeps the default timestamp value.
This is my config file:
input {
file {
path => "/root/file.xml"
sincedb_path => "/dev/null"
start_position => "beginning"
codec => multiline {
pattern => "^<\?ScanGroup .*\>"
negate => "true"
max_lines => 100000000000
max_bytes => "50000000000 MiB"
what => "previous"
}
tags => "acu-test"
type => "acu-test"
}
}
filter {
if [type] == "acu-test" {
xml{
source =>"message"
target => "log4"
}
ruby{
code =>
'
event.set("ReportItem", event.get("[log4][Scan][0][ReportItems][0][ReportItem]"))
for value1 in event.get("[ReportItem]")
generated = LogStash::Event.new
generated.set("App_Name", "Labs")
generated.set("Scan_Name", event.get("[log4][Scan][0][Name]"))
generated.set("Scan_Name", event.get("[log4][Scan][0][Name]"))
generated.set("StartURL", event.get("[log4][Scan][0][StartURL]"))
generated.set("StartTime", event.get("[log4][Scan][0][StartTime]"))
generated.set("FinishTime", event.get("[log4][Scan][0][FinishTime]"))
generated.set("ScanTime", event.get("[log4][Scan][0][ScanTime]"))
generated.set("Aborted", event.get("[log4][Scan][0][Aborted]"))
generated.set("Responsive", event.get("[log4][Scan][0][Responsive]"))
generated.set("Os", event.get("[log4][Scan][0][Os]"))
generated.set("WebServer", event.get("[log4][Scan][0][WebServer]"))
for value2 in value1["TechnicalDetails"]
generated.set("TechnicalDetails", value2)
end
for value2 in value1["CVSS"]
generated.set("CVSS", value2)
end
new_event_block.call(generated)
end
'
}
mutate {
gsub => [
# replace all forward slashes with underscore
"StartTime", "/", "-",
"StartTime", ",", ""
]
}
date {
match => [ "StartTime", "dd-MM-yyyy HH:mm:ss" ]
}
mutate {
remove_field => ["parsed", "message", "log4"]
}
}
}
output {
if "_rubyexception" not in [tags]{
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-test"
}
stdout { codec => rubydebug }}
}
I add a part of debug result :
"Description" => [
[0] "When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved.Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker with local access could obtain the cleartext password from the browser cache."
],
"StartTime" => [
[0] "28-09-2018 19:49:30"
],
"Aborted" => [
[0] "False"
],
"@version" => "1",
"App_Name" => "Application",
"WebServer" => [
[0] "Apache 2.x"
],
"FinishTime" => [
[0] "29/09/2018, 10:39:28"
],
"Technologies" => [
[0] "\n \n \n PHP\n \n \n "
],
"tags" => [
[0] "_dateparsefailure"
],
"Affects" => [
[0] "/mytravel"
],
"Scan_Name" => [
[0] "scan_name"
],
"Type-vulnerability" => [
[0] "informationdisclosure"
],
"ScanTime" => [
[0] "889 minutes, 55 seconds"
],
"@timestamp" => 2018-11-28T11:20:33.729Z,
"TechnicalDetails" => {
"Request" => [
[0]
]
},
"StartURL" => [
[0] "www.application.com"
],
"Responsive" => [
[0] "True"
],
"Vulnerability_Name" => [
[0] "Multiples vulnérabilités dans S/MIME et OpenPGP"
],
"ModuleName" => [
[0] "Crawler"
],
"Severity" => [
[0] "informational"
],
"Impact" => [
[0] "DOS DDos."
],
"Os" => [
[0] "Win7"
],
"Recommendation" => [
[0] " <br/>To disable auto-complete, you may use a code similar to: <pre><code><INPUT TYPE="password" AUTOCOMPLETE="off"></code></pre>"
],
"CVSS" => {
"I" => [
[0] "None"
],
"AV" => [
[0] "Network_Accessible"
],
"AC" => [
[0] "Low"
],
"Au" => [
[0] "None"
],
"Score" => [
[0] "0.0"
],
"C" => [
[0] "None"
],
"A" => [
[0] "None"
],
"Descriptor" => [
[0] "AV:N/AC:L/Au:N/C:N/I:N/A:N"
]
}
}
Thank you for your help.
