Hi,
The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:
mutate {
replace => {
"security_result_description" => "%{otherTokenValue}"
}
}
Where "otherTokenValue" stores "SUCCESS"
Hi,
The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:
mutate {
replace => {
"security_result_description" => "%{otherTokenValue}"
}
}
Where "otherTokenValue" stores "SUCCESS"
Okay I have the following which returns the same error -
# Security Result
if [severity] == "INFO" {
mutate {
replace => {
"description" => "SUCCESS"
}
}
mutate {
replace => {
"security_result_action" => "ALLOW"
"security_result_description" => "%{description}"
}
}
}
Can you please post where your security_results_description is changed to security_result.decscription?
Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code?
Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code?
Sure, here is the full block for SecurityResult -
# Security Result
if [severity] == "INFO" {
mutate {
replace => {
"description" => "SUCCESS"
}
}
mutate {
replace => {
"security_result_action" => "ALLOW"
"security_result_description" => "%{description}"
}
}
}
else if [severity] == "ERROR" {
mutate {
replace => {
"security_result_action" => "BLOCK"
"security_result_description" => "%{jsonPayload.status.message}"
}
}
}
mutate {
merge => {
"security_result.action" => "security_result_action"
"security_result.description" => "security_result_description"
}
}
# Merge final security result
mutate {
merge => {
"udm_event.idm.read_only_udm.security_result" => "security_result"
}
}
Sure, here is the full block for SecurityResult -
# Security Result
if [severity] == "INFO" {
mutate {
replace => {
"description" => "SUCCESS"
}
}
mutate {
replace => {
"security_result_action" => "ALLOW"
"security_result_description" => "%{description}"
}
}
}
else if [severity] == "ERROR" {
mutate {
replace => {
"security_result_action" => "BLOCK"
"security_result_description" => "%{jsonPayload.status.message}"
}
}
}
mutate {
merge => {
"security_result.action" => "security_result_action"
"security_result.description" => "security_result_description"
}
}
# Merge final security result
mutate {
merge => {
"udm_event.idm.read_only_udm.security_result" => "security_result"
}
}Based on what you have shared here, my guess would be that the contents of jsonPayload.status.message is the problem, if you insert a statedump {} statement on line 30 and run the parser again, can you share the output of the statedump?
filter {
mutate {
replace => {
"event_type" => "GENERIC_EVENT"
"severity" => "INFO"
}
}
# Security Result
if [severity] == "INFO" {
mutate {
replace => {
"description" => "SUCCESS"
}
}
mutate {
replace => {
"security_action" => "ALLOW"
"security_result.description" => "%{description}"
}
}
}
else if [severity] == "ERROR" {
mutate {
replace => {
"security_action" => "BLOCK"
"security_result.description" => "%{jsonPayload.status.message}"
}
}
}
# Merge Action
if [security_action] != "" {
mutate {
merge => {
"security_result.action" => "security_action"
}
}
}
# Merge Security Results
if [security_result] != "" {
mutate {
merge => {
"event.idm.read_only_udm.security_result" => "security_result"
}
}
}
# Default Event Data
mutate {
replace => {
"event.idm.read_only_udm.metadata.event_type" => "%{event_type}"
}
}
# Generate Event
mutate {
merge => {
"@output" => "event"
}
}
}
Are you still getting the same error? Is "jsonPayload.status.message" a string or numeric? If it's not a string, then you'll need to convert it first.
filter {
mutate {
replace => {
"event_type" => "GENERIC_EVENT"
"severity" => "INFO"
}
}
# Security Result
if [severity] == "INFO" {
mutate {
replace => {
"description" => "SUCCESS"
}
}
mutate {
replace => {
"security_action" => "ALLOW"
"security_result.description" => "%{description}"
}
}
}
else if [severity] == "ERROR" {
mutate {
replace => {
"security_action" => "BLOCK"
"security_result.description" => "%{jsonPayload.status.message}"
}
}
}
# Merge Action
if [security_action] != "" {
mutate {
merge => {
"security_result.action" => "security_action"
}
}
}
# Merge Security Results
if [security_result] != "" {
mutate {
merge => {
"event.idm.read_only_udm.security_result" => "security_result"
}
}
}
# Default Event Data
mutate {
replace => {
"event.idm.read_only_udm.metadata.event_type" => "%{event_type}"
}
}
# Generate Event
mutate {
merge => {
"@output" => "event"
}
}
}
Thank you, that's working now.
