AWS GuardDuty produces log messages in JSON that have multiple interesting fields nested under "service.action", like
SumoLogic provides templates for parsing the logs. In the template the fields are each parsed like this:
| json field=_raw "accountId", "region", "partition", "id", "arn", "type","service.serviceName","service.detectorId","service.action","severity","title","description" nodrop
| json field=%service.action "networkConnectionAction.remoteIpDetails.ipAddressV4","networkConnectionAction.localPortDetails.port" as ip, localPort nodrop
But it doesn't work! To work I have to directly reference each field with this command instead:
json field=_raw "service.action.networkConnectionAction.remoteIpDetails.ipAddressV4","service.action.networkConnectionAction.localPortDetails.port" as ip, localPort nodrop
I'm confused about the intended meaning of "%service.action" in the template. There's no mention of using a "%" anywhere in the Support documentation. It looks like the first json command is trying to extract the whole "section.action" contents and store it in "%service.action" and is then using that to parse again, but whatever it's pulling into "%service.action" isn't true JSON.
Anyone help me understand, please? I'm having to edit every template by hand to get them to work and it's a real pain!
Please sign in to leave a comment.