Skip to main content
Solved

'panic encountered: non-string given for securityresult.description'

  • February 6, 2025
  • 9 replies
  • 47 views
samryanturner
Forum|alt.badge.img+7

I have the following parser code -

# Security Result if [severity] == "INFO" { mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "SUCCESS" } } }

 However when previewing it's output I see the following error - 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"security_result\\": index 0: recursive rawDataToProto failed: panic encountered: non-string given for backstory.SecurityResult.description: []interface {} []interface {}{\\"SUCCESS\\"}"

Why is this not being interpreted as a string?

Best answer by dlove40

 

filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

 

 

Sam

9 replies

Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hi, 

The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:

 

mutate {
  replace => {
    "security_result_description" => "%{otherTokenValue}"
  }
}

Where "otherTokenValue" stores "SUCCESS"  

samryanturner
Forum|alt.badge.img+7
  • samryanturnerBronze 5
  • Author
  • Bronze 5
  • February 6, 2025

Hi, 

The UDM field security_result.description takes a string as a parameter whereas security_result.action takes a constant value (predefined values). In the case above, you need to pass "SUCCESS" in a variable. Something similar to this:

 

mutate {
  replace => {
    "security_result_description" => "%{otherTokenValue}"
  }
}

Where "otherTokenValue" stores "SUCCESS"  


Okay I have the following which returns the same error -

# Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } }
Sam
marcus_aurelius
Forum|alt.badge.img+1

Can you please post where your security_results_description is changed to security_result.decscription? 

C
Forum|alt.badge.img+4
  • cbryantBronze 1
  • Bronze 1
  • February 6, 2025

Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code? 

    samryanturner
    Forum|alt.badge.img+7
    • samryanturnerBronze 5
    • Author
    • Bronze 5
    • February 6, 2025

    Your replace statement should be fine, replace would set both of those variables to a string regardless of if you use a variable or not. The error likely lies somewhere after this, can you share the rest of your parser code? 


    Sure, here is the full block for SecurityResult -

    # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_result_action" => "BLOCK" "security_result_description" => "%{jsonPayload.status.message}" } } } mutate { merge => { "security_result.action" => "security_result_action" "security_result.description" => "security_result_description" } } # Merge final security result mutate { merge => { "udm_event.idm.read_only_udm.security_result" => "security_result" } }
    Sam
      C
      Forum|alt.badge.img+4
      • cbryantBronze 1
      • Bronze 1
      • February 6, 2025

      Sure, here is the full block for SecurityResult -

      # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_result_action" => "ALLOW" "security_result_description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_result_action" => "BLOCK" "security_result_description" => "%{jsonPayload.status.message}" } } } mutate { merge => { "security_result.action" => "security_result_action" "security_result.description" => "security_result_description" } } # Merge final security result mutate { merge => { "udm_event.idm.read_only_udm.security_result" => "security_result" } }

      Based on what you have shared here, my guess would be that the contents  of jsonPayload.status.message is the problem, if you insert a statedump {} statement on line 30 and run the parser again, can you share the output of the statedump? 

        dlove40
        Forum|alt.badge.img+4
        • dlove40Bronze 2
        • Bronze 2
        • Answer
        • February 6, 2025

         

        filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

         

         

          Rene_Figueroa
          Staff
          Forum|alt.badge.img+10

           

          filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

           

           


          Are you still getting the same error? Is "jsonPayload.status.message" a string or numeric? If it's not a string, then you'll need to convert it first.

          samryanturner
          Forum|alt.badge.img+7
          • samryanturnerBronze 5
          • Author
          • Bronze 5
          • February 7, 2025

           

          filter { mutate { replace => { "event_type" => "GENERIC_EVENT" "severity" => "INFO" } } # Security Result if [severity] == "INFO" { mutate { replace => { "description" => "SUCCESS" } } mutate { replace => { "security_action" => "ALLOW" "security_result.description" => "%{description}" } } } else if [severity] == "ERROR" { mutate { replace => { "security_action" => "BLOCK" "security_result.description" => "%{jsonPayload.status.message}" } } } # Merge Action if [security_action] != "" { mutate { merge => { "security_result.action" => "security_action" } } } # Merge Security Results if [security_result] != "" { mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } } } # Default Event Data mutate { replace => { "event.idm.read_only_udm.metadata.event_type" => "%{event_type}" } } # Generate Event mutate { merge => { "@output" => "event" } } }

           

           


          Thank you, that's working now.

          Sam
            Terms & ConditionsCookie settingsAccessibility statement
            Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

            © 2025 Google. All rights reserved.