Great, thank you!
El 10/07/18 a las 08:56, Risto Vaarandi escribió:
> Hi Alberto,
>
> Yes, it can be done, and there is a relevant example in sec rule
> repository (see the "parsing-json" subdirectory). Also, Q22 in sec FAQ
> provides a reference to this example.
>
> Hope this helps,
> risto
>
> T, 10. juuli 2018 09:38 Alberto Corton <acor...@s21sec.com
> <mailto:acor...@s21sec.com>> kirjutas:
>
> Hi,
>
> We have some logs encoded as json strings like the following
> example (printed in multiple lines for better readability):
>
> { "__REALTIME_TIMESTAMP": "1464791726836654", "_TRANSPORT":
> "journal", "_PID": "18509", "_UID": "0", "_GID": "0",
> "_COMM": "docker", "_EXE": "/usr/bin/docker", "CONTAINER": {
> "ID": "17fb289f439b", "NAME": "test" } }
>
> Such logs can be decoded using a perlfunc pattern:
>
> type = Single ptype = PerlFunc desc = read pattern = sub {
> JSON::decode_json($_[0]) } action = logonly $+{_EXE} $+{_PID}
>
> Is there a way for accessing the nested fields (container id and
> container name in this case)?
>
> Regards,
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
> http://sdm.link/slashdot_______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> <mailto:Simple-evcorr-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
