JSON Decode Error
104 views
Skip to first unread message
harsh dhussa
Mar 19, 2024, 8:07:29 AM3/19/24
to Wazuh | Mailing List
Hi Team,
I am trying to fetch custom logs from the S3 bucket using aws-s3 wodle.
While doing so, I am getting below Error.
Traceback (most recent call last):
File "/var/ossec/wodles/aws/aws-s3.py", line 1156, in get_log_file
return self.load_information_from_file(log_key=log_key)
File "/var/ossec/wodles/aws/aws-s3.py", line 2013, in load_information_from_file
return [dict(event['detail'], source=event['source'].replace('aws.', '')) for event in
File "/var/ossec/wodles/aws/aws-s3.py", line 2013, in <listcomp>
return [dict(event['detail'], source=event['source'].replace('aws.', '')) for event in
File "/var/ossec/wodles/aws/aws-s3.py", line 1998, in json_event_generator
raise err
File "/var/ossec/wodles/aws/aws-s3.py", line 1993, in json_event_generator
json_data, json_index = decoder.raw_decode(data)
File "/var/ossec/framework/python/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
File "/var/ossec/wodles/aws/aws-s3.py", line 1156, in get_log_file
return self.load_information_from_file(log_key=log_key)
File "/var/ossec/wodles/aws/aws-s3.py", line 2013, in load_information_from_file
return [dict(event['detail'], source=event['source'].replace('aws.', '')) for event in
File "/var/ossec/wodles/aws/aws-s3.py", line 2013, in <listcomp>
return [dict(event['detail'], source=event['source'].replace('aws.', '')) for event in
File "/var/ossec/wodles/aws/aws-s3.py", line 1998, in json_event_generator
raise err
File "/var/ossec/wodles/aws/aws-s3.py", line 1993, in json_event_generator
json_data, json_index = decoder.raw_decode(data)
File "/var/ossec/framework/python/lib/python3.9/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
ERROR: Failed to parse file 2024/03/19/wazuh-log.json: Expecting value: line 1 column 1 (char 0)
The sample log that I am storing in the bucket is:
{"requestedURL":"GET /api/customer/logout","user":"System","mobile":"","vua":"","requestorType":"USER","requestorName":"","requestId":"42dff597-d22b-41d1-94a0-10bd067e8c77","transactionId":"","errorcode":"10201","errormsg":"Session invalid","DestinationURL":"","requestType":"Incoming Request","status":401,"clientIP":"x.x.x.x","module":"Registration and Login","name":"System","tncAccepted":"","timestamp":"1/8/2023, 4:11:38.306 pm","level":"ERROR"}
Also, I tried using log-test with the above log and it was working completely fine.
Please help.
harsh dhussa
Mar 21, 2024, 1:35:42 AM3/21/24
to Wazuh | Mailing List
Hi Team,
Pease help here.
Dario Menten
Mar 22, 2024, 9:35:07 AM3/22/24
to Wazuh | Mailing List
Hello Harsh
Thank you for posting in the Community.
It seems the issue is with the file, maybe the encoding, and that’s making noise to the Analysisd engine when it tries to read the log.
If you see it says Expecting value: line 1 column 1 (char 0), in my experience, that issue could be because of the encoding of the file.
Or maybe the first characters of the file are not valid, but if that line is the only one you have in the file I think is most likely an encoding issue.
What I would do is copy a log from another bucket and place it in the bucket read by the Wodle, and try with that.
Please let me know if that helps.
Reply all
Reply to author
Forward
0 new messages