Skip to main content

I'm trying to parse ALIENVAULT_OTX I've used a python script that ingests the following log for each IOC:

id=4065110078|indicator=192.168.1.1|type=IPv4|description=|created=2025-05-02T20:25:08Z|content=

and this is my custom parser:

filter { mutate { replace => { "id" => "", "indicator" => "", "created" => "", "description" => "", "type" => "", "content" => "" } } kv { source => "message" field_split => "|" value_split => "=" whitespace => "strict" } mutate { replace => { "event.idm.entity.metadata.vendor_name" => "AlienVault" "event.idm.entity.metadata.product_name" => "ALIENVAULT_OTX" } } date { match => ["created", "ISO8601" ] target => "event.idm.entity.metadata.interval.start_time" on_error => "ts_not_found" } if [type] == "FileHash-SHA256" { mutate { replace => { "event.idm.entity.metadata.entity_type" => "FILE" "event.idm.entity.entity.file.sha256" => "%{indicator}" } } } else if [type] == "FileHash-SHA1" { mutate { replace => { "event.idm.entity.metadata.entity_type" => "FILE" "event.idm.entity.entity.file.sha1" => "%{indicator}" } } } else if [type] == "domain" { mutate { replace => { "event.idm.entity.metadata.entity_type" => "DOMAIN_NAME" "event.idm.entity.entity.hostname" => "%{indicator}" } } } else if [type] == "FileHash-MD5" { mutate { replace => { "event.idm.entity.metadata.entity_type" => "FILE" "event.idm.entity.entity.file.md5" => "%{indicator}" } } } else if [type] == "IPv4" and [indicator] != "" { mutate { replace => { "event.idm.entity.metadata.entity_type" => "IP_ADDRESS" } } if [event][idm][entity][metadata][entity_type] == "IP_ADDRESS" { mutate { merge => { "event.idm.entity.entity.ip" => "indicator" } on_error => "indicator_empty" } mutate { convert => { "indicator" => "bytes" } on_error => "failed_to_convert_indicator" } mutate { rename => { "indicator" => "event.ioc.ip_and_ports.ip_address" } on_error => "indicator_not_found" } } } if [type] != "" { mutate { merge => { "@output" => "event" } } } statedump{} }

And this is the error I'm receiving:

generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: unknown or unset entity type"

 Can anyone please help me with this IP_ADDRESS mapping I'm assuming there is an unset value for my entity_type but I'm not sure what is it.

That's a bit of a misleading error message.  Looks like you are actually missing something in 

event.idm.entity.metadata.threat, if you map a security result (even just threat_id or threat_feed_name) in there it should start working. 

That's a bit of a misleading error message.  Looks like you are actually missing something in 

event.idm.entity.metadata.threat, if you map a security result (even just threat_id or threat_feed_name) in there it should start working. 

I love you man it really worked!
You wanna know something funny that error made me actually read the whole documentation page and before your answer I actually saw this:

I said to myself FILE worked just fine without specifying the threat details so I didn't bother trying to put it in for the others. Anyways, thanks dude hopefully they change the error message soon.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.