Alerting on a json message

[Kyle S]

I am feeding Sagan via a fifo both syslog and json messages. I am using the eve format and can get Sagan to write json and syslog to log, but I cannot get Sagan to alert on json messages. Although Sagan alerts fine on syslog.

Do you have any suggestions on how to get Sagan to alert on json messages?

[Da Beave]

Sorry for the delay on this. 

How are you getting the JSON into Sagan?  Is the JSON being fed in via a standard syslog message or are you trying to read it in directly from the FIFO?  You'll need

to create a "mapping" for the JSON,  in either case,  so that Sagan understands what it is dealing with.

[Kyle S]

I am having it come in over the same port as the syslog which is getting fed to the fifo.

[Da Beave]

I guess the proper question is;  Is the syslog daemon generating the JSON or is the device sending to you sending the JSON?

If the syslog daemon is generating the JSON,  you'll need to make a input mapping.  This the YAML for that:

--<snip>--

    # Controls how data is read from the FIFO. The "pipe" setting is the traditional       

    # way Sagan reads in events and is default. "json" is more flexible and                

    # will become the default in the future. If "pipe" is set, "json-map"                      # and "json-software" have no function.

    input-type: json                       # pipe or json

    json-map: "$RULE_PATH/json-input.map"  # mapping file if input-type: json

    json-software: syslog-ng               # by "software" type. 

--<:snip>-

The mapping file will look something like this:

--<snip>--

{"software":"syslog-ng","syslog-source-ip":"SOURCEIP","facility":"FACILITY","level":"PRIORI

rity":"PRIORITY","time":"DATE","date":"DATE","program":"PROGRAM","message":"MESSAGE"}

{"software":"nxlog","syslog-source-ip":"MessageSourceAddress","facility":"SyslogFacility","yslogSeverity","priority":"Severity","time":"EventTime","date":"EventTime","program":"Sourc

essage":"Message"}

--<snip>-- 

The "tells" Sagan how to mao the fields.   If your syslog daemon is injecting the JSON, then you'll need to make an appropriate mapping for it.

If the device is sending you JSON,  you'll want to look at this section of the sagan.yaml

--<snip>--

     # "parse-json-message" allows Sagan to detect and decode JSON within a                 

    # syslog "message" field.  If a decoder/mapping is found,  then Sagan will             

    # extract the JSON values within the messages.  The "parse-json-program"                   # tells Sagan to start looking for JSON within the "program" field.  Some

    # systems (i.e. - Splunk) start JSON within the "program" field and

    # into the "message" field.  This option tells Sagan to "append" the                   

    # strings together (program+message) and then decode.  The "json-message-map"

    # tells Sagan how to decode JSON values when they are encountered.

    parse-json-message: enabled

    parse-json-program: enabled

    json-message-map: "$RULE_PATH/json-message.map"

--<snip>--

Sagan can parse that data, but you'll need to make a "json-message.map" for it.  Again,  this tells Sagan how to deal with the fields.   

It's actually pretty straight forward and easy to do.   I need to document this feature.  Maybe on the next long flight I take,  I'll write it up. 

Let me know if you have any other questions!