Don’t forget to select tags to help index your topic!
1. Describe your incident:
I’m ingesting logs from my antivirus (eset), and I’m not able to parse the message value content which seems to be a json.
2. Describe your environment:
-
OS Information:
Debian 12 (graylog on docker) -
Package Version:
6.1.5 -
Service logs, configurations, and environment variables:
Json content :
{
“process_id”: “786”,
“gl2_accounted_message_size”: 1340,
“gl2_receive_timestamp”: “2025-02-06 10:13:22.676”,
“level”: 6,
“gl2_remote_ip”: “X.X.X.X”,
“gl2_remote_port”: 50910,
“streams”: [
“67a329690cb812111012e8eb”
],
“gl2_message_id”: “01JKDBZZQ7000001BQ720SPDHH”,
“source”: “myServer”,
“message”: “{"event_type":"Audit_Event","hostname":"myServer","source_uuid":"1f9e873d-1c25-4ac7-bc58-de4552ca2479","occured":"06-Feb-2025 10:13:23","severity":"Information","domain":"Single-sign-on token","action":"Single sign on token issue","detail":"Single Sign On Session Token ‘’ issued for native user ‘administrator’.","user":"","result":"Success"}",
“gl2_source_input”: “679ba5900cb81211100f032f”,
“eset_message_json_regex”: "{"event_type":"Audit_Event","hostname":"myServer","source_uuid":"1f9e873d-1c25-4ac7-bc58-de4552ca2479","occured":"06-Feb-2025 10:13:23","severity":"Information","domain":"Single-sign-on token","action":"Single sign on token issue","detail":"Single Sign On Session Token '’ issued for native user ‘administrator’.","user":"","result":"Success"}”,
“gl2_processing_timestamp”: “2025-02-06 10:13:22.683”,
“application_name”: “ERAServer”,
“full_message”: “<14>1 2025-02-06T10:13:23.303Z myServer ERAServer 786 - - {"event_type":"Audit_Event","hostname":"myServer","source_uuid":"1f9e873d-1c25-4ac7-bc58-de4552ca2479","occured":"06-Feb-2025 10:13:23","severity":"Information","domain":"Single-sign-on token","action":"Single sign on token issue","detail":"Single Sign On Session Token ‘********’ issued for native user ‘administrator’.","user":"","result":"Success"}”,
“facility_num”: 1,
“gl2_source_node”: “570a4219-367c-43d0-94d7-c89f6d0bc1c4”,
“_id”: “fef72870-e472-11ef-b4ee-0242ac150004”,
“facility”: “user-level”,
“gl2_processing_duration_ms”: 7,
“timestamp”: “2025-02-06T10:13:23.303Z”
}
3. What steps have you already taken to try and solve the problem?
I tried to use a pipeline to convert the message field which contain a BOM character and parse the json using parse_json but it does not work.
I added a set_field function to create a field in my result, but no new field added to the simulation.
I’m not sure but :
“message”: “{"event_type":"Audit_Event","hostname":"myServer","source_uuid":"1f9e873d-1c25-4ac7-bc58-de4552ca2479","occured":"06-Feb-2025 10:13:23","severity":"Information","domain":"Single-sign-on token","action":"Single sign on token issue","detail":"Single Sign On Session Token ‘********’ issued for native user ‘administrator’.","user":"","result":"Success"}”,
The characters : " are not a json standard right ?
4. How can the community help?
Help me to create (and understand) how to parse those data.
Thanks
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]