Hi Alberto,
Yes, it can be done, and there is a relevant example in sec rule repository
(see the "parsing-json" subdirectory). Also, Q22 in sec FAQ provides a
reference to this example.
Hope this helps,
risto
T, 10. juuli 2018 09:38 Alberto Corton <acor...@s21sec.com> kirjutas:
> Hi,
>
> We have some logs encoded as json strings like the following example
> (printed in multiple lines for better readability):
>
> {
> "__REALTIME_TIMESTAMP": "1464791726836654",
> "_TRANSPORT": "journal",
> "_PID": "18509",
> "_UID": "0",
> "_GID": "0",
> "_COMM": "docker",
> "_EXE": "/usr/bin/docker",
> "CONTAINER": {
> "ID": "17fb289f439b",
> "NAME": "test"
> }
> }
>
> Such logs can be decoded using a perlfunc pattern:
>
> type = Single
> ptype = PerlFunc
> desc = read
> pattern = sub { JSON::decode_json($_[0]) }
> action = logonly $+{_EXE} $+{_PID}
>
>
>
> Is there a way for accessing the nested fields (container id and container
> name in this case)?
> Regards,
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
