1. Describe your incident:
We receive Syslog messages from OPNsense, including IPS logs. The message is in JSON format. As mentioned in How to use a JSON Extractor, I created an extractor (to copy the message part into an named field and a separator to split the named field.
The extractor works. The messages are like this:
firewall.base.lan suricata[51566]: {"timestamp":"2023-06-14T21:14:06.502140+0200","flow_id":1143475206488403,"in_iface":"vlan01^","event_type":"alert","signature_id":2029022}
They new named field (suricata_json) look like this:
{"timestamp":"2023-06-14T21:14:06.502140+0200","flow_id":1143475206488403,"in_iface":"vlan01^","event_type":"alert","signature_id":2029022}
The JSON separator has the condition that signature_id exists. If I try the extractor, it works also:
However, the fields are not created. I yield the normal messages with the suricata_json extract, but the JSON part is not separated any further as intended with the second extractor. I have no further ideas. Are these two consecutive extractors the right approach?
2. Describe your environment:
-
OS Information: Ubuntu 22.04.2 LTS
-
Package Version: 5.0.8-1
-
Service logs, configurations, and environment variables: unknown
3. What steps have you already taken to try and solve the problem?
Adjust extractor conditions, watch the official video, searched for similar problems.
4. How can the community help?
Assess the two extractor approach for the JSON data and/or give recommendation to extract JSON data into fields from the message part.
suggested tags: JSON, OPNsense, Suricata
