This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

Json parsing inside Message

Posted on 05-20-2024 03:31 AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hello Team, 
we are trying to parse fields from json log format, but there are nested fields  Within the "Message".

we user the json filter and other different steps.

All the fields inside the "Message" are not being parsed, Please chek the sample log for reference.
{"EventReceivedTime": "202*-0*-** 21:44:45","SourceModuleName": "in_json_log","SourceModuleType": "im_file","Message": ",{\"_id\":\"66**c7d23afb**6e6*0f2\",\"serialNum\":0,\"acknowledged\":***,\"time\":\"202*-0*-**T14:14:04.657Z\",\"hostname\":\"e-d**-g**l-cluster-normal--7-mm.q-gcp-00-d-g-24-02.181862379",\"fqdn\":\"\",\"containerName\":\"bu\",\"containerID\":\"2a91f881c8075c4f34db5*****3d6e\",\"imageName\":\"d***.io/google/cloud-:l\",
 please suggest a way to parse the fields insite Message.

Solved Solved
0 4 289
Topic Labels
Jump to Solution
0 Likes
2 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
bsalvatore
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

This is the real message received in the SIEM (escaped character, comma character before { , etc.)? Because if the original message like the following:

{
    "EventReceivedTime": "202*-0*-** 21:44:45",
    "SourceModuleName": "in_json_log",
    "SourceModuleType": "im_file",
    "Message": {
        "_id": "66**c7d23afb**6e6*0f2",
        "serialNum": 0,
        "acknowledged":"***",
        "time": "202*-0*-**T14:14:04.657Z",
        "hostname": "e-d**-g**l-cluster-normal--7-mm.q-gcp-00-d-g-24-02.181862379",
        "fqdn": "",
        "containerName": "bu",
        "containerID": "2a91f881c8075c4f34db5*****3d6e",
        "imageName": "d***.io/google/cloud-:l"
    }
}

 you can easy extract it using the json command:

  json {
    source => "message"
    array_function => "split_columns"
    on_error => "not_json"
  }

 and the parser automatically create the id, serialNum, hostname, etc. variable.

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
bsalvatore
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

have you tried to use the statedump {} command to debug the message? If the raw log is correct, you should view like the screenshot in the debug view

Screenshot 2024-05-21 120747.png

In this case you can simply access to data using the following block (I suggest you to check if a text are mapped):

  if [Message][containerID] != "" {
          mutate {
        replace => {
          "event.idm.read_only_udm...." => "%{Message.containerID}"
        }
      }
  }

 

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
bsalvatore
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

This is the real message received in the SIEM (escaped character, comma character before { , etc.)? Because if the original message like the following:

{
    "EventReceivedTime": "202*-0*-** 21:44:45",
    "SourceModuleName": "in_json_log",
    "SourceModuleType": "im_file",
    "Message": {
        "_id": "66**c7d23afb**6e6*0f2",
        "serialNum": 0,
        "acknowledged":"***",
        "time": "202*-0*-**T14:14:04.657Z",
        "hostname": "e-d**-g**l-cluster-normal--7-mm.q-gcp-00-d-g-24-02.181862379",
        "fqdn": "",
        "containerName": "bu",
        "containerID": "2a91f881c8075c4f34db5*****3d6e",
        "imageName": "d***.io/google/cloud-:l"
    }
}

 you can easy extract it using the json command:

  json {
    source => "message"
    array_function => "split_columns"
    on_error => "not_json"
  }

 and the parser automatically create the id, serialNum, hostname, etc. variable.

Jump to Solution

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to bsalvatore
Reply posted on --/--/---- --:-- AM

Hi bsalvatore,

I tried the json filter, it dosent work for the fileds inside Message.

{
    "EventReceivedTime": "202*-0*-** 21:44:45",
    "SourceModuleName": "in_json_log",
    "SourceModuleType": "im_file",

These fields will work with the json filter 

but the fields inide Message will not get parsed.

"Message": {
        "_id": "66**c7d23afb**6e6*0f2",
        "serialNum": 0,
        "acknowledged":"***",
        "time": "202*-0*-**T14:14:04.657Z",
        "hostname": "e-d**-g**l-cluster-normal--7-mm.q-gcp-00-d-g-24-02.181862379",
        "fqdn": "",
        "containerName": "bu",
        "containerID": "2a91f881c8075c4f34db5*****3d6e",
        "imageName": "d***.io/google/cloud-:l"
    }

 

Jump to Solution

Posted on --/--/---- --:-- AM
bsalvatore
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

have you tried to use the statedump {} command to debug the message? If the raw log is correct, you should view like the screenshot in the debug view

Screenshot 2024-05-21 120747.png

In this case you can simply access to data using the following block (I suggest you to check if a text are mapped):

  if [Message][containerID] != "" {
          mutate {
        replace => {
          "event.idm.read_only_udm...." => "%{Message.containerID}"
        }
      }
  }

 

Jump to Solution

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to bsalvatore
Reply posted on --/--/---- --:-- AM

I have user the statedump, the fields are getting mapped.

I will use the above syantx, hopefully it works 

Jump to Solution
0 Likes
Top Solution Authors
View all