[rsyslog-notify] Forum Thread: Parsing JSON Message - (Mode 'post')

Wed Jul 20 17:07:57 CEST 2016

User: robotdude 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26802#p26802

Message: 
----------
I am attempting to parse incoming JSON messages. The raw log from the
external server ($!all-json) is below and the top-level JSON consists of
three fields - msg, json_content and event_type. Within each of those field
values are nested JSON objects.

I'm attempting to parse this data in order to access the nested field names
(i.e. $!eventName or $!srcPreNATPort) but I'm not sure how to go about
accessing those fields. I have successfully created a template that parses
only $!json_content, but I'm not sure how to go one level deeper and access
the JSON inside the $!json_content variable. 

This template logs just the json_content string without escaped quotes:

[code:3g8dpewn]template(name="test" type="string"
string="%$!json_content%\n\n")[/code:3g8dpewn]

This is the raw message arriving from the external server:

[code:3g8dpewn]{
 "msg": "hostname
{\"name\":\"DefaultProfile\",\"version\":\"1.0\",\"isoTimeFormat\":\"yyyy-MM-dd'T'HH:mm:ss.SSSZ\",\"type\":\"Event\",\"category\":\"67500040\",\"protocolID\":\"17\",\"sev\":\"5\",\"src\":\"158.69.120.9\",\"dst\":\"132.186.44.3\",\"srcPort\":\"7777\",\"dstPort\":\"37579\",\"relevance\":\"3\",\"credibility\":\"8\",\"startTimeEpoch\":\"1469025562356\",\"startTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"storageTimeEpoch\":\"1469025562356\",\"storageTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"deploymentID\":\"a0619e92-0341-11e6-9929-40f2e9758858\",\"devTimeEpoch\":\"1469025562356\",\"devTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"srcPreNATPort\":\"0\",\"dstPreNATPort\":\"0\",\"srcPostNATPort\":\"0\",\"dstPostNATPort\":\"0\",\"hasIdentity\":\"false\",\"payload\":\"Darknet
Traffic
Event\",\"eventCnt\":\"1\",\"srcIPLoc\":\"NorthAmerica.UnitedStates\",\"dstIPLoc\":\"NorthAmerica.UnitedStates\",\"hasOffense\":\"false\",\"domainID\":\"0\",\"eventName\":\"Darknet
Traffic Event\",\"lowLevelCategory\":\"Network
Sweep\",\"highLevelCategory\":\"Recon\",\"eventDescription\":\"Source
IP is attempting to reach Darknet
addresses\",\"protocolName\":\"udp\",\"logSource\":\"Custom Rule
Engine\",\"srcNetName\":\"other\",\"dstNetName\":\"Regulatory_Compliance_Servers.Darknet.Darknet_31\",\"logSourceType\":\"Custom
Rule
Engine\",\"logSourceGroup\":\"Other\",\"logSourceIdentifier\":\"0.0.0.0\"}",

"json_content":
"{\"name\":\"DefaultProfile\",\"version\":\"1.0\",\"isoTimeFormat\":\"yyyy-MM-dd'T'HH:mm:ss.SSSZ\",\"type\":\"Event\",\"category\":\"67500040\",\"protocolID\":\"17\",\"sev\":\"5\",\"src\":\"158.69.120.9\",\"dst\":\"132.186.44.3\",\"srcPort\":\"7777\",\"dstPort\":\"37579\",\"relevance\":\"3\",\"credibility\":\"8\",\"startTimeEpoch\":\"1469025562356\",\"startTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"storageTimeEpoch\":\"1469025562356\",\"storageTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"deploymentID\":\"a0619e92-0341-11e6-9929-40f2e9758858\",\"devTimeEpoch\":\"1469025562356\",\"devTimeISO\":\"2016-07-20T10:39:22.356-04:00\",\"srcPreNATPort\":\"0\",\"dstPreNATPort\":\"0\",\"srcPostNATPort\":\"0\",\"dstPostNATPort\":\"0\",\"hasIdentity\":\"false\",\"payload\":\"Darknet
Traffic
Event\",\"eventCnt\":\"1\",\"srcIPLoc\":\"NorthAmerica.UnitedStates\",\"dstIPLoc\":\"NorthAmerica.UnitedStates\",\"hasOffense\":\"false\",\"domainID\":\"0\",\"eventName\":\"Darknet
Traffic Event\",\"lowLevelCategory\":\"Network
Sweep\",\"highLevelCategory\":\"Recon\",\"eventDescription\":\"Source
IP is attempting to reach Darknet
addresses\",\"protocolName\":\"udp\",\"logSource\":\"Custom Rule
Engine-116\",\"srcNetName\":\"other\",\"dstNetName\":\"Regulatory_Compliance_Servers.Darknet.Darknet_31\",\"logSourceType\":\"Custom
Rule
Engine\",\"logSourceGroup\":\"Other\",\"logSourceIdentifier\":\"0.0.0.0\"}\n",

"event_type": "Jul 20 10:39:06 hostname Darknet Traffic Event
\n" 
}[/code:3g8dpewn]