Flatten the Json output #4266
Unanswered
rohanrajnv
asked this question in
Q&A
Flatten the Json output
#4266
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi Everyone,
I need some help to flatten the Json File that i get from wazuh I tried to use the Lift in the config and it is still not working. The parsing is also not working.
this is the Log that I get from wazuh:
{"timestamp":"2023-08-12T13:44:09.451+0000","rule":{"level":3,"description":"Successful sudo to ROOT executed.","id":"5402","mitre":{"id":["T1548.003"],"tactic":["Privilege Escalation","Defense Evasion"],"technique":["Sudo and Sudo Caching"]},"firedtimes":97386,"mail":false,"groups":["syslog","sudo"],"pci_dss":["10.2.5","10.2.2"],"gpg13":["7.6","7.8","7.13"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7","AC.6"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"037","name":"mzab01","ip":"192.168.49.99"},"manager":{"name":"OSHW01"},"id":"13.1","full_log":"Aug 12 17:44:08 mzab01 sudo: test : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/cp /waldb/172.16.171.110-O.xml /waldb/172.16.171.110-T.xml","predecoder":{"program_name":"sudo","timestamp":"Aug 12 17:44:08","hostname":"mzab01"},"decoder":{"parent":"sudo","name":"sudo","ftscomment":"First time user executed the sudo command"},"data":{"srcuser":"test","dstuser":"root","tty":"unknown","pwd":"/","command":"/usr/bin/cp /waldb/172.16.171.110-O.xml /waldb/172.16.171.110-T.xml"},"location":"/var/log/auth.log"}
But I want to change to
{
"timestamp": "2023-08-12T13:44:09.451+0000",
"rule.level": 3,
"rule.description": "Successful sudo to ROOT executed.",
"rule.id": "5402",
"rule.mitre.id[0]": "T1548.003",
"rule.mitre.tactic[0]": "Privilege Escalation",
"rule.mitre.tactic[1]": "Defense Evasion",
"rule.mitre.technique[0]": "Sudo and Sudo Caching",
"rule.firedtimes": 97386,
"rule.mail": false,
"rule.groups[0]": "syslog",
"rule.groups[1]": "sudo",
"rule.pci_dss[0]": "10.2.5",
"rule.pci_dss[1]": "10.2.2",
"rule.gpg13[0]": "7.6",
"rule.gpg13[1]": "7.8",
"rule.gpg13[2]": "7.13",
"rule.gdpr[0]": "IV_32.2",
"rule.hipaa[0]": "164.312.b",
"rule.nist_800_53[0]": "AU.14",
"rule.nist_800_53[1]": "AC.7",
"rule.nist_800_53[2]": "AC.6",
"rule.tsc[0]": "CC6.8",
"rule.tsc[1]": "CC7.2",
"rule.tsc[2]": "CC7.3",
"agent.id": "037",
"agent.name": "mzab01",
"agent.ip": "192.168.49.99",
"manager.name": "OSHW01",
"id": "13.1",
"full_log": "Aug 12 17:44:08 mzab01 sudo: test : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/cp /waldb/172.16.171.110-O.xml /waldb/172.16.171.110-T.xml",
"predecoder.program_name": "sudo",
"predecoder.timestamp": "Aug 12 17:44:08",
"predecoder.hostname": "mzab01",
"decoder.parent": "sudo",
"decoder.name": "sudo",
"decoder.ftscomment": "First time user executed the sudo command",
"data.srcuser": "test",
"data.dstuser": "root",
"data.tty": "unknown",
"data.pwd": "/",
"data.command": "/usr/bin/cp /waldb/172.16.171.110-O.xml /waldb/172.16.171.110-T.xml",
"location": "/var/log/auth.log"
}
Any Help would be really great
Beta Was this translation helpful? Give feedback.
All reactions