【问题标题】:JSON Input Transformer Path SpecificationJSON 输入转换器路径规范
【发布时间】:2021-01-07 17:42:41
【问题描述】:

我正在尝试转换以下 JSON 日志:(如果重要,请使用 AWS CloudWatch/Trail)

    {
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser",
        "principalId": "xxx",
        "arn": "arn:aws:iam::xxx",
        "accountId": "xxx",
        "accessKeyId": "xxx",
        "userName": "xxx",
        "sessionContext": {
            "sessionIssuer": {},
            "webIdFederationData": {},
            "attributes": {
                "mfaAuthenticated": "true",
                "creationDate": "2021-01-07T13:50:07Z"
            }
        }
    },
    "eventTime": "2021-01-07T14:55:03Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "AuthorizeSecurityGroupIngress",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "xxx",
    "userAgent": "console.ec2.amazonaws.com",
    "requestParameters": {
        "groupId": "sg-xxx",
        "ipPermissions": {
            "items": [
                {
                    "ipProtocol": "tcp",
                    "fromPort": 22,
                    "toPort": 22,
                    "groups": {},
                    "ipRanges": {
                        "items": [
                            {
                                "cidrIp": "x.x.x.x/32"
                                "description": "x"
                            }
                        ]
                    },
                    "ipv6Ranges": {},
                    "prefixListIds": {}
                }
            ]
        }
    },
    "responseElements": {
        "requestId": "xxx",
        "_return": true
    },
    "requestID": "xxx",
    "eventID": "xxx",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "eventCategory": "Management",
    "recipientAccountId": "xxx"
}

到以下输出:

“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”

“端口范围:22”

“源IP:x.x.x.x”

“描述:x”

目前,通过将这两个块传递到 CloudWatch 输入转换器:

{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"dsc":"$.detail.requestParameters.ipPermissions.items"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Details: <dsc>"

我能够创建以下输出:

“AuthorizeSecurityGroupIngress 在 [x@x.x.x.x] 的 [accountname] 上针对 sg-xxx 进行”

"详细信息:{items:[{ipProtocol:tcp,fromPort:22,toPort:22,groups:{},ipRanges:{items:[{cidrIp:x.x.x.x/32,description:x}]},ipv6Ranges: {},prefixListIds:{}}]}"

但是,当我尝试通过传递更具体的占位符来进一步指定输入路径时:

{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"prt":"$.detail.requestParameters.ipPermissions.items.toPort",
"src":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.cidrIp",
"dsc":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.description"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Port Range: <prt>"
"Source IP: <src>"
"Description: <dsc>"

占位符 (prt,src,dsc) 值的输出为空白:

“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”

"端口范围:"

“来源IP:”

“描述:”

对比。预计

“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”

“端口范围:22”

“源IP:x.x.x.x”

“描述:x”

我在哪里弄乱了输入路径?

是 '[]' 括号导致问题吗?

【问题讨论】:

    标签: arrays json parsing amazon-cloudwatch amazon-cloudtrail


    【解决方案1】:

    在两个地方,您的 JSON 有一个 items 数组,但您的代码将它们视为对象。您需要调出要从中提取属性的数组元素:

    "prt":"$.detail.requestParameters.ipPermissions.items[0].toPort",
    "src":"$.detail.requestParameters.ipPermissions.items[0].ipRanges.items[0].cidrIp",
    "dsc":"$.detail.requestParameters.ipPermissions.items[0].ipRanges.items[0].description"
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2017-10-27
      • 1970-01-01
      • 2011-02-10
      • 1970-01-01
      相关资源
      最近更新 更多