Extract nested json issue

rfinney · February 1, 2024, 4:43pm

1. Describe your incident:
I’m feeding DUO security logs into Graylog using Elastic Agent. I’m running an initial json extraction using the code I found from @tmacgbay. But when I try to run a second json extraction further down for the nested fields it’s not working.

Data 1:

{"access_device":{"epkey":"57KUNSYFRI2UYNRFW3","hostname":null,"ip":"10.10.10.10","location":{"city":"Atlanta","country":"United States","state":"Georgia"}},"alias":"","application":{"key":"57HD233375NY29","name":"Google Workspace - Admin and Staff"},"auth_device":{"ip":"11.11.11.11","key":"DPW35H33X23752397HN","location":{"city":"Atlanta","country":"United States","state":"Georgia"},"name":"000-000-0001"},"email":"user@company.com","event_type":"authentication","factor":"verified_duo_push","isotimestamp":"2024-02-01T16:08:57.496224+00:00","ood_software":null,"reason":"verification_code_correct","result":"success","timestamp":1706803737,"trusted_endpoint_status":"unknown","txid":"8ac223a3-035e-4033-a333-9337e33dc339","user":{"groups":["duo_it (from AD sync \"AD Sync Duo1\")","duo_pilot (from AD sync \"AD Sync Duo1\")"],"key":"DUOT63333HY9ZA233","name":"uname"}}

Pipeline Rule 1:

rule "type duo-json-parser" 
when 
   has_field("filebeat_input_type") AND
   (to_string($message.filebeat_input_type)) == "httpjson"
then   

    let the_json = parse_json(to_string($message.message));
    //debug(concat("The json: ", to_string(the_json)));
    
    let the_map = to_map(the_json);
    //debug(concat("The map: ", to_string(the_map)));

   set_fields(the_map);   
end

This parses out everything except the nested data.

In a pipeline further down I tried similar code to break out nested json in message fields access_device, application, and auth_device.

Fields:

access_device
    {"hostname":null,"epkey":"57KUNSYFRI2UYNRFW3","ip":"0.10.10.10","location":{"country":"United States","city":"Atlanta","state":"Georgia"}}
application
    {"name":"Google Workspace - Admin and Staff","key":"57HD233375NY29"}
auth_device
    {"ip":"11.11.11.11","name":"000-000-0001","location":{"country":"United States","city":"Atlanta","state":"Georgia"},"key":"DPW35H33X23752397HN"}

rule "type duo-json-parser-access_device" 
when 
   has_field("access_device")
then   
    let the_json = parse_json(to_string($message.access_device));
    debug(concat("The json: ", to_string(the_json)));
    
    let the_map = to_map(the_json);
    debug(concat("The map: ", to_string(the_map)));

   set_fields(the_map);   
end

But it doesn’t parse the data.
I checked the debug logs and it’s showing:

2024-02-01T11:15:15.482-05:00 INFO [Function] PIPELINE DEBUG: The json:
2024-02-01T11:15:15.483-05:00 INFO [Function] PIPELINE DEBUG: The map:

I confirmed it’s hitting the rule with a set_field below the set_fields
set_field(“xduo_test”, “002”);

2. Describe your environment:
Graylog 5.2.3
CentOS

Any ideas on how to accomplish this? Or why it’s not working?

rfinney · February 1, 2024, 5:52pm

Interestingly when I try to Add to query from the logs access_device, application, or auth_device it add this to the query: access_device:“[object Object]”

And when I look in the fields it doesn’t show access_device, etc…

rfinney · February 1, 2024, 6:24pm

So graylog doesn’t like nested json and it needs to be flat.

github.com/Graylog2/graylog-plugin-beats

Decoding nested JSON objects

opened 03:39PM - 11 May 16 UTC

luckyb56

feature triaged in progress

When using Packetbeat to send messages directly to Graylog2, the nested JSON obj…ects won't be decoded and would be seen as '[object Object],[object Object]' under search UI. Example input JSON message: ``` { "_index" : "graylog_5", "_type" : "message", "_id" : "572b9193-16df-11e6-8a3b-000c2942c251", "_version" : 1, "found" : true, "_source" : { "packetbeat_bytes_in" : 32, "packetbeat_method" : "QUERY", "packetbeat_type" : "dns", "packetbeat_responsetime" : 140, "packetbeat_query" : "class IN, type A, conn.skype.com", "gl2_remote_ip" : "172.16.220.1", "packetbeat_dns_question_name" : "conn.skype.com", "gl2_remote_port" : 65532, "packetbeat_dns_additionals_count" : 0, "packetbeat_dns_answers_count" : 2, "source" : "abs-MacBook-Pro.local", "type" : "dns", "gl2_source_input" : "572a39d0cdf3830902a406df", "packetbeat_dns_response_code" : "NOERROR", "packetbeat_direction" : "out", "packetbeat_client_ip" : "192.168.0.3", "packetbeat_dns_flags_recursion_allowed" : true, "packetbeat_dns_flags_truncated_response" : false, "packetbeat_dns_question_class" : "IN", "gl2_source_node" : "b6d4add1-2cfc-4fd1-b18d-0ad0478e00a8", "packetbeat_dns_flags_authoritative" : false, "packetbeat_status" : "OK", "packetbeat_client_port" : 60426, "timestamp" : "2016-05-10 18:45:16.558", "packetbeat_ip" : "192.168.0.1", "packetbeat_dns_op_code" : "QUERY", "packetbeat_bytes_out" : 83, "packetbeat_dns_flags_recursion_desired" : true, "packetbeat_transport" : "udp", "packetbeat_dns_authorities_count" : 0, "packetbeat_resource" : "conn.skype.com", "streams" : [ "572ae5c9cdf3830902a4bb7f" ], "packetbeat_dns_answers" : [ { "class" : "IN", "data" : "conn.skype.akadns.net", "name" : "conn.skype.com", "ttl" : 464, "type" : "CNAME" }, { "class" : "IN", "data" : "91.190.216.81", "name" : "conn.skype.akadns.net", "ttl" : 300, "type" : "A" } ], "message" : "-", "packetbeat_dns_question_type" : "A", "packetbeat_count" : 1, "name" : "MacBook-Pro.local", "packetbeat_dns_id" : 62527, "facility" : "packetbeat", "packetbeat_port" : 53 } } ``` packetbeat_dns_answers structure won't be decoded in this example.

github.com/Graylog2/graylog2-server

Fix problems rendering object field values

Graylog2:master ← Graylog2:beats-issue-3

opened 03:21PM - 21 Nov 16 UTC

edmundoa

+4 -4

Some messages may contain objects as field values and we need to properly conver…t them into strings that can be rendered by react. This commit changes the way we convert values into strings, relying on `JSON.stringify()` to do it. Refs Graylog2/graylog-plugin-beats#3. It may also be related to #2946. **Update**: As @joschi pointed out, this only fixes part of the problem in Graylog2/graylog-plugin-beats#3: being able to display messages with a hierarchical structure. The change does not affect how Graylog internally handles those messages.

Code from @jivepig found here appears to have fixed the issue:

rule "Random User Data Flatten Json Rule"
// From sample data : https://randomuser.me/api/
// Api input path: *
when
    true
then
    let sJson = to_string($message.message);
    let sJson = regex_replace(
        pattern: "^\\[|\\]$",
        value: sJson,
        replacement: ""
        );
    let rsJson = flatten_json(to_string(sJson), "flatten");
    set_fields(to_map(rsJson));
    //remove_field("result");
    //set_field("message", "parsed user data");
end

system · February 15, 2024, 6:24pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing nested JSON message Graylog Central (peer support)	1	1125	October 16, 2019
How to extract Json field Graylog Central (peer support)	3	4092	March 14, 2019
JSON fields not extracted properly Graylog Central (peer support)	2	367	November 19, 2020
Can't extract from JSON Graylog Central (peer support) pipeline-rules	5	1757	September 7, 2020
JSON extractor not working Graylog Central (peer support) pipeline-rules	10	5693	August 22, 2020

Extract nested json issue

Related Topics