Json pipline Unrecognized character escape

Please help

Trying to parse json

My Pipeline:

rule “extract_json”
when
has_field(“json”)
then
parse_json(to_string($message.json));
end

Below is the error i get in the graylog log

exception_message
Unrecognized character escape ‘a’ (code 97)
at [Source:
{“atp_protocol”:“rrs”,“data_direction”:1,“data_source_ip”:null,“data_source_url”:null,“data_source_url_domain”:null,“data_source_url_referer”:null,“device_ip”:“xxx.xx.xx.xxx”,“device_name”:“xxxxxx”,“device_time”:“2018-12-22T03:32:42.710Z”,“device_uid”:“1ec71456-6d43-4e89-824a-108cffe408fa”,“disposition”:1,“downloaded_portal_id”:null,“enterprise_uid”:“AF6158E4770CFA9CCA9F85E22ED85FB8”,“external_ip”:null,“feature_name”:“ATP:Endpoint”,“feature_ver”:“2014.2.0”,“file”:{“attributes”:null,“confidence”:4,“confidence_atp”:4,“desc”:null,“disposition”:1,“disposition_atp”:1,“file_age”:null,“first_seen”:null,“folder”:“CSIDL_WINDOWS\assembly ativeimages_v2.0.50727_32\microsoft.visualstu#\a95c7cb1fd41f7b018c53bd4c05424ed”,“md5”:“b59aae7e1f317f87ce0baf5d2867d6c5”,“name”:“Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll”,“prevalence”:0,“prevalence_band”:0,“reputation_band”:4,“sha2”:“aa6faa778cb4f4b7a7e548143415b1c9c8afa48b38e8892418d13b85c2951800”,“signature_company_name”:null,“signature_issuer”:null,“signature_serial_number”:null,“size”:134144},“id”:2,“initiating_engine”:null,“parent_file_name”:null,“parent_file_sha2”:null,“parent_installer_url”:null,“product_name”:“ATP:Endpoint”,“request_reason”:null,“rule_id”:null,“rule_version”:0,“sep_mid”:“766fe06491274fd38dabb35390988fc9”,“type_id”:4096,“zone_id”:null,“user_name”:“xxxxxxxxx”,“sep_installed”:true}; line: 1, column: 629]

It is always different Unrecognized character escape. I guess here at - WINDOWS\assembly - it recognize backslash as escape.

Any advice?

Thanks.

your json needs to be escaped properly

Jan,
Thank you for you reply.

I’m still in the learning process. I’ll really appreciate if you can clarify what do you mean by “needs to be escaped properly”

This message I got from Symantec ATP and it’s in CEF format, so I used CEF input which parses the message to multiple fields including “json” filed and that json field contains all that information.

Thank you.

Here is another message, but this time it was successfully parsed by JSON extractor

{“atp_protocol”:“bash”,“bash”:{“disposition”:“1”,“engine_version”:“10.4.0.43”,“recommended_action”:“1”,“signature_version”:“20181217.001”,“submission_type”:“BASH-SONAR-PROD-GOOD”,“virus_id”:“4294920985”,“virus_name”:“SONAR.Module!gen3”},“data_source_url”:null,“data_source_url_domain”:null,“device_ip”:“xxx.xx.xx.xxx”,“device_name”:“xxxxxxx”,“device_time”:“2018-12-24T19:20:08.944Z”,“disposition”:1,“feature_name”:“ATP:Endpoint”,“feature_ver”:“xxxx.x.x”,“file”:{“attributes”:null,“desc”:null,“folder”:“CSIDL_WINDOWS\temp”,“md5”:“fa49146dd9d7877f4eb1524d23a9ef17”,“name”:“msi6f31.tmp”,“sha2”:“df668bc0cb2a91626c8dc0f61e435d9b91ece902c56c39797315b40d78718df2”,“size”:237246},“host”:“xxxxxxx.xx.xxxx.symantec.com”,“id”:0,“platform”:{“country”:“1”,“language”:“English”,“processor”:“x00 Family x Model xx Stepping x”,“system”:“Windows x build xxxx Service Pack x”},“product_name”:“ATP:Endpoint”,“sep_mid”:“5dff8f5cba699350c4133f3e244a8219”,“type_id”:4100,“device_uid”:“abed4e50-38af-4bae-9c44-3ec23e1b7648”,“user_name”:“xxxxxxx”,“sep_installed”:true}

Plaintext message seem to have correct escape character

<13>Dec 24 22:19:17 localhost sep_proxy_insight_event: INFO - symatp CEF:0|Symantec|ATPU|3.2.0|4096|sep_proxy_insight_event|0|device_time=2018-12-24T22:19:16.928Z device_uid=aeb6632f-453a-4310-8107-61052d25f4df internalIP=xxx.xx.xx.xx internalHost=xxxxx filePath=CSIDL_WINDOWS\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\bbc88a5feed8764d266682bf4d5702b9 fname=Microsoft.PowerShell.Commands.Utility.ni.dll sha2=be677525a30093d7d2976269c16f4a89f4ce3b23c0971b02afbafb789d4fd531 md5=bf407e8aadad4cf08eecb2a2b2b290b0 disposition=0 disposition_atp=0 user_name=xxxxxxxxx json={“atp_protocol”:“rrs”,“data_direction”:1,“data_source_ip”:null,“data_source_url”:null,“data_source_url_domain”:null,“data_source_url_referer”:null,“device_ip”:“xxx.xx.xx.xx”,“device_name”:“xxxxx”,“device_time”:“2018-12-24T22:19:16.928Z”,“device_uid”:“aeb54654f-453a-4310-8107-61052d25f4df”,“disposition”:1,“downloaded_portal_id”:null,“enterprise_uid”:“AF61582212120CFA9CCA9F85E22ED85FB8”,“external_ip”:null,“feature_name”:“ATP:Endpoint”,“feature_ver”:“2014.2.0”,“file”:{“attributes”:null,“confidence”:78,“confidence_atp”:78,“desc”:null,“disposition”:0,“disposition_atp”:0,“file_age”:2,“first_seen”:“2018-10-19T02:02:45.000Z”,“folder”:“CSIDL_WINDOWS\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\bbc88a5feed8764d266682bf4d5702b9”,“md5”:“bf407e8aadad4cf08eecb2a2b2b290b0”,“name”:“Microsoft.PowerShell.Commands.Utility.ni.dll”,“prevalence”:166,“prevalence_band”:7,“reputation_band”:1,“sha2”:“be677525a30093d7d2976269c16f4a89f4ce3b23c0971b02afbafb789d4fd531”,“signature_company_name”:null,“signature_issuer”:null,“signature_serial_number”:null,“size”:2176512},“id”:0,“initiating_engine”:null,“parent_file_name”:null,“parent_file_sha2”:null,“parent_installer_url”:null,“product_name”:“ATP:Endpoint”,“request_reason”:null,“rule_id”:null,“rule_version”:0,“sep_mid”:“b32e0241d7bb2db9c9955a8a9d7d2d92”,“type_id”:4096,“zone_id”:null,“user_name”:“xxxxxxxxx”,“sep_installed”:true}

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.