This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Doubt in Json Parser

Posted on 02-13-2025 06:56 AM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM 
{
  "Records": [
    {
      "awsRegion": "ap-south-1",
      "eventCategory": "Data",
      "eventName": "GetObject",
      "eventSource": "s3.amazonaws.com",
      "eventTime": "2025-01-08T14:22:14Z",
      "eventType": "AwsApiCall",
      "resources": [
        {
          "ARN": "arn:aws:s3:::abc/fake/5a660ee115645811/1942c4f7458e:1944564ta60:84a2d733",
          "type": "AWS::S3::Object"
        },
        {
          "ARN": "arn:aws:s3:::abc",
          "accountId": "352484409731",
          "type": "AWS::S3::Bucket"
        }
      ],
      "responseElements": null,
      "sourceIPAddress": "13.200.103.212"
    }
  ]
}

This is my sample log.
and here is my parser.

filter {
        json {
        source => "message"
        array_function => "split_columns"
        on_error => "not_json_format"
        }

    mutate {
      replace => {
        "src_present" => "false"
        "event1.idm.read_only_udm.metadata.vendor_name" => "AWS"
        "event1.idm.read_only_udm.metadata.product_name" => "CLOUDTRAIL"
        "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }



    for k, v in Records map {
        for x, y in v.resources[0] map { }


        if [v][sourceIPAddress] not in ["", "null", "None"] {

            mutate {
                replace => {
                    "src_present" => "true"
                }
            }

            mutate {
                merge => {
                    "event1.idm.read_only_udm.principal.ip" => "v.sourceIPAddress"
                }
                on_error => "principal_ip_not_set"
            }
        }
    }

    statedump{
        label => "foo"
    }

    mutate {
      merge => { "@output" => "event1" }
    }
}

How am I supposed to access the ARN in the resources array first element ? i.e (arn:aws:s3:::abc/fake/5a660ee115645811/1942c4f7458e:1944564ta60:84a2d733) 

Can anyone help me in this?

0 1 53
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
rajukg
Staff
Reply posted on --/--/---- --:-- AM

Here is a modified version that you can use.  I didn't loop through the resources but you can.  Also accessing the ARN and mapping to hostname just to show how to access that field.

filter {
        json {
        source => "message"
        array_function => "split_columns"
        on_error => "not_json_format"
        }

    mutate {
      replace => {
        "src_present" => "false"
        "event1.idm.read_only_udm.metadata.vendor_name" => "AWS"
        "event1.idm.read_only_udm.metadata.product_name" => "CLOUDTRAIL"
        "event1.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }

    for index, record in Records {

        if [record][sourceIPAddress] not in ["", "null", "None"] {
            mutate {
                replace => {
                    "src_present" => "true"
                }
            }

            mutate {
              replace => {
                    "event1.idm.read_only_udm.principal.hostname" => "%{record.resources.0.ARN}"
              }
              on_error => "principal_ip_not_set"
            }

            mutate {
                merge => {
                    "event1.idm.read_only_udm.principal.ip" => "record.sourceIPAddress"
                }
                on_error => "principal_ip_not_set"
            }
        }
    }

    statedump{ label => "foo" }

    mutate {
      merge => { "@output" => "event1" }
    }
}
Top Solution Authors
View all