Ruby 我想通过logstash将一个json事件转换为多个事件,希望得到一些启发,谢谢
4个字段(warnTags、warnSlrs、warnActions、denyMsg)字段需要用分号(;)分隔 原始字符串Ruby 我想通过logstash将一个json事件转换为多个事件,希望得到一些启发,谢谢,ruby,logstash,Ruby,Logstash,4个字段(warnTags、warnSlrs、warnActions、denyMsg)字段需要用分号(;)分隔 原始字符串 { "waf": { "warnTags": "OWASP_CRS/WEB_ATTACK/SQL_INJECTION;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/SPECIAL_CHARS;OWASP_CRS/WE
{ "waf": {
"warnTags": "OWASP_CRS/WEB_ATTACK/SQL_INJECTION;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/XSS;OWASP_CRS/WEB_ATTACK/SPECIAL_CHARS;OWASP_CRS/WEB_ATTACK/SQL_INJECTION",
"policy": "bot_77598",
"warnSlrs": "ARGS:wvstest;ARGS:wvstest;ARGS:wvstest;ARGS:wvstest;ARGS:wvstest;ARGS:wvstest",
"riskTuples": ":-973305-973333-973335",
"warnActions": "2;2;2;2;2;2",
"denyActions": "3",
"warnMsg": "SQL Injection Attack;XSS Attack Detected;IE XSS Filters - Attack Detected;IE XSS Filters - Attack Detected;Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded;Classic SQL Injection Probes 1/2",
"riskGroups": ":XSS-ANOMALY",
"warnRules": "950901;973305;973333;973335;981173;981242",
"denyMsg": "Anomaly Score Exceeded for Cross-Site Scripting",
"ver": "2.0",
"denyData": "VmVjdG9yIFNjb3JlOiBx",
"riskScores": ":-5-5-2",
"warnData": "eHNzdGFnPigpbG9jeHNz;amF2YXNYcm"
} }
预期输出结果
{
"waf": {
"warnTags": "OWASP_CRS/WEB_ATTACK/SQL_INJECTION",
"policy": "bot_77598",
"warnSlrs": "ARGS:wvstest",
"riskTuples": ":-973305-973333-973335",
"warnActions": "2",
"denyActions": "3",
"warnMsg": "SQL Injection Attack",
"riskGroups": ":XSS-ANOMALY",
"warnRules": "950901",
"denyMsg": "Anomaly Score Exceeded for Cross-Site Scripting",
"ver": "2.0",
"denyData": "VmVjdG9yIFNjb3JlOiBx",
"riskScores": ":-5-5-2",
"warnData": "eHNzdGFnPigpbG9jeHNz;amF2YXNYcm"
}
}
{
"waf": {
"warnTags": "OWASP_CRS/WEB_ATTACK/XSS",
"policy": "bot_77598",
"warnSlrs": "ARGS:wvstest",
"riskTuples": ":-973305-973333-973335",
"warnActions": "2",
"denyActions": "3",
"warnMsg": "XSS Attack Detected",
"riskGroups": ":XSS-ANOMALY",
"warnRules": "973305",
"denyMsg": "Anomaly Score Exceeded for Cross-Site Scripting",
"ver": "2.0",
"denyData": "VmVjdG9yIFNjb3JlOiBx",
"riskScores": ":-5-5-2",
"warnData": "eHNzdGFnPigpbG9jeHNz;amF2YXNYcm"
}
}
下面的配置应该符合您的需要。它包括在一开始就解析为json,根据管道中先前的步骤,您可能不需要解析。本质上,这将拆分
上的警告标签
字段代码>开始;这将导致warnTags
成为嵌套在一个对象中的数组。字符串拆分的输出被传递到更高级别的split
过滤器中,该过滤器将在输入字段上创建多个输出事件拆分,在这种情况下,warnTags
(再次)。希望这有帮助
[编辑:添加warnSlrs
作为第二个拆分字段]
filter {
json {
source => "message"
}
mutate {
split => {"[waf][warnTags]" => ";"}
}
mutate {
split => {"[waf][warnSlrs]" => ";"}
}
split {
field => "[waf][warnTags]"
}
split {
field => "[waf][warnSlrs]"
}
}
你好!欢迎来到堆栈溢出。请在这里阅读文章:。确保你的问题结构合理将有助于在将来得到最好的回答。我在下面的一个配置中尝试了一下,这应该会让你走。祝你好运,麋鹿快乐。谢谢你的回答,但我仍然不知道如何同时拆分两个以上的字段,虽然它们的分隔符都是分号(;)好的,我已经添加了warnSlrs
,希望你现在可以看到如何进一步扩展:)非常感谢你的持续帮助,但是我发现在这个处理之后已经生成了36个事件。我希望在这个示例中,一个事件将生成6个事件,一个字段可以使用split拆分生成6个事件,但是多个字段拆分将生成许多不需要的事件,并且可能需要使用ruby来处理我的需求。我假设您想要输出方面的叉积。
filter {
ruby {
code => "
@info = []
events = event.to_hash
@warnTags = events['waf']['warnTags'].split(';')
@warnMsgs = events['waf']['warnMsg'].split(';')
@warnActions = events['waf']['warnActions'].split(';')
@warnRules = events['waf']['warnRules'].split(';')
@list = @warnTags.zip( @warnMsgs, @warnActions, @warnRules )
@list.each do |tag, msg, action, rule|
detail = {
'tag' => tag,
'msg' => msg,
'action' => action,
'rule' => rule
}
@info.push(detail)
end
event.remove('[waf][warnTags]')
event.remove('[waf][warnMsg]')
event.remove('[waf][warnActions]')
event.remove('[waf][warnRules]')
event.set('[waf][info]', @info)
"
}
split {
field => "[waf][info]"
}}