filter {
mutate {
replace => {
"raw_Event" => ""
"src" => ""
"StatusCode" => ""
"AttackURI" => ""
"AttackData" => ""
"UserAgent" => ""
"dhost" => ""
"act" => ""
"requestMethod" => ""
"event.idm.read_only_udm.metadata.vendor_name" => "Indusface"
"event.idm.read_only_udm.metadata.product_name" => "WAF"
"event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
}
}
grok {
match => {
"message" => ["CEF%{GREEDYDATA}src=%{IP:src} cn1=%{INT:StatusCode}%{GREEDYDATA}cs2=%{GREEDYDATA:AttackData} cs2%{GREEDYDATA} cs4=%{WORD:act}%{GREEDYDATA} cs5=%{GREEDYDATA:UserAgent} cs5%{GREEDYDATA}dhost=%{GREEDYDATA:dhost} requestMethod=%{WORD:requestMethod}", "CEF%{GREEDYDATA}src=%{IP:src}"]
}
overwrite => ["src", "act" , "StatusCode", "UserAgent", "dhost", "requestMethod", "AttackData"]
on_error => "grok_failed1"
}
mutate {
uppercase => ["act"]
}
if [act] not in ["", "null", "None"] {
mutate {
replace => {
"event.idm.read_only_udm.security_result.action_details" => "%{act}"
}
}
}
mutate {
merge => {
"@output" => "event"
}
}
}
I have written a parser. But how am I supposed to create a UDM field for device action?
This parser is throwing an error which is as followed :
I have written a parser. But how am I supposed to create a UDM field for device action?
This parser is throwing an error which is as followed :
generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"security_result\\": failed to make strategy: received non-slice or non-array raw output for repeated field"
Can you tell me what do I need to change exactly to fix this.
@bsalvatore @citreno @jstoner