Hi Guys, could anyone help me to split the following json file in multiple events? I tried in different ways, adding KVMODE=json, modifying LINE_BREAKER or adding EVENT_BREAKER to my propos.conf, b...
See more...
Hi Guys, could anyone help me to split the following json file in multiple events? I tried in different ways, adding KVMODE=json, modifying LINE_BREAKER or adding EVENT_BREAKER to my propos.conf, but I'm unable to find a solution... Following a json example, What I'm trying is to capture the messages between square brackets and the split the events contained. In this example I have two differents events starting with "eventId" field and eneding with "policyId"field { "name": "SecureSphere_Audit_PCI_-_Login_audit_15.01.2021_1043_19.02.2021_2359_ith-aru-sec-imp-gw03_0_mxName.0000000002", "messageRaw": [{ "eventId": "6930995712914260054", "eventCreationTime": "2021-02-19T17:04:32Z", "streamId": "20", "sourcePort": 2978, "destinationPort": 1527, "originalUserName": "sapserviceid6", "parsedQuery": "N/A (login)", "logCollectorName": "N/A", "realDateTime": "2021-02-19T17:04:31Z", "base": { "keysCrc": "3392074420543545270", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapserviceid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapserviceid6", "gatewayName": "ith-aru-sec-imp-gw03", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "policy": "PCI - Login audit", "policyId": "993812781714235096" }, { "eventId": "6930995712914335615", "eventCreationTime": "2021-02-19T17:04:41Z", "streamId": "30", "sourcePort": 2978, "destinationPort": 1527, "originalUserName": "sapid6", "parsedQuery": "N/A (login)", "logCollectorName": "N/A", "realDateTime": "2021-02-19T17:04:41Z", "base": { "keysCrc": "-4699307483851221009", "serverGroup": "LAB", "service": "Oracle", "application": "Default Oracle Application", "eventSourceType": "Network", "userType": "Valid", "dbUser": "sapid6", "sqlSourceGroup": "Default oracle group", "isUserAuthenticed": true, "sourceIp": "10.1.5.190", "sourceApp": "disp+work.exe", "osUser": "sapserviceid6", "host": "sapysap1", "serviceType": "Oracle", "destinationIp": "10.1.5.191", "eventType": "LOGIN", "operation": "Login", "database": "id6", "schema": "sapid6", "gatewayName": "ith-aru-sec-imp-gw03", "sourceOfActivity": "REMOTE", "dbInstance": "id6" }, "policy": "PCI - Login audit", "policyId": "993812781714235096" }] } Thanks in advance for your help Mario