Map json field to other name
193 views
Skip to first unread message
Fabio Zuber
Oct 21, 2022, 7:08:41 AM10/21/22
to Wazuh mailing list
Hey Team
I have a json log like this:
{"correlationID":"01GF185M2TF9NTG7T5WRDS4PE1",""method":"GET" ,"remoteAddr":"86.236.176.165:55575","status":404,"time":"2022-10-10T15:28:16Z","uri":"/"}
And I would like to check if there are attack attempts going. Is there a way to map the json "uri" field to "url" so the default web rules can be used?
I think I could use a "traditional" encoder, but I'm not sure if that is the proper way to do it.
I have a json log like this:
{"correlationID":"01GF185M2TF9NTG7T5WRDS4PE1",""method":"GET" ,"remoteAddr":"86.236.176.165:55575","status":404,"time":"2022-10-10T15:28:16Z","uri":"/"}
And I would like to check if there are attack attempts going. Is there a way to map the json "uri" field to "url" so the default web rules can be used?
I think I could use a "traditional" encoder, but I'm not sure if that is the proper way to do it.
Any suggestions how to achieve this in a nice way are very welcome.
Thanks and BR
Fabio
Thanks and BR
Fabio
Jesus Linares
Oct 24, 2022, 1:09:13 AM10/24/22
to Wazuh mailing list
Hi Fabio,
There is no way to change the URI field from Wazuh. The out_format setting allows you to change the format but it doesn't allow selecting specific fields.
What is the log source? Syslog? In that case, you can use rsylog templates to modify the event.
I hope it helps.
Fabio Zuber
Oct 24, 2022, 2:59:03 AM10/24/22
to Wazuh mailing list
Hey Jesus,
thank for your help. I guess I'll have the parse it in the traditional way then.
The log comes from a custom WAF, as these logs are also consumed elsewhere, changing the log format is probably not an option.
Good tip though :)
Good tip though :)
BR Fabio
Reply all
Reply to author
Forward
0 new messages