【发布时间】:2021-01-07 17:42:41
【问题描述】:
我正在尝试转换以下 JSON 日志:(如果重要,请使用 AWS CloudWatch/Trail)
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "xxx",
"arn": "arn:aws:iam::xxx",
"accountId": "xxx",
"accessKeyId": "xxx",
"userName": "xxx",
"sessionContext": {
"sessionIssuer": {},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "true",
"creationDate": "2021-01-07T13:50:07Z"
}
}
},
"eventTime": "2021-01-07T14:55:03Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "AuthorizeSecurityGroupIngress",
"awsRegion": "us-east-1",
"sourceIPAddress": "xxx",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters": {
"groupId": "sg-xxx",
"ipPermissions": {
"items": [
{
"ipProtocol": "tcp",
"fromPort": 22,
"toPort": 22,
"groups": {},
"ipRanges": {
"items": [
{
"cidrIp": "x.x.x.x/32"
"description": "x"
}
]
},
"ipv6Ranges": {},
"prefixListIds": {}
}
]
}
},
"responseElements": {
"requestId": "xxx",
"_return": true
},
"requestID": "xxx",
"eventID": "xxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "xxx"
}
到以下输出:
“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”
“端口范围:22”
“源IP:x.x.x.x”
“描述:x”
目前,通过将这两个块传递到 CloudWatch 输入转换器:
{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"dsc":"$.detail.requestParameters.ipPermissions.items"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Details: <dsc>"
我能够创建以下输出:
“AuthorizeSecurityGroupIngress 在 [x@x.x.x.x] 的 [accountname] 上针对 sg-xxx 进行”
"详细信息:{items:[{ipProtocol:tcp,fromPort:22,toPort:22,groups:{},ipRanges:{items:[{cidrIp:x.x.x.x/32,description:x}]},ipv6Ranges: {},prefixListIds:{}}]}"
但是,当我尝试通过传递更具体的占位符来进一步指定输入路径时:
{
"event":"$.detail.eventName",
"sg":"$.detail.requestParameters.groupId",
"user":"$.detail.userIdentity.userName",
"sourceip":"$.detail.sourceIPAddress",
"prt":"$.detail.requestParameters.ipPermissions.items.toPort",
"src":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.cidrIp",
"dsc":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.description"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Port Range: <prt>"
"Source IP: <src>"
"Description: <dsc>"
占位符 (prt,src,dsc) 值的输出为空白:
“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”
"端口范围:"
“来源IP:”
“描述:”
对比。预计
“AuthorizeSecurityGroupIngress 在 [user@x.x.x.x] 上针对 [accountname] 上的 sg-xxx 进行”
“端口范围:22”
“源IP:x.x.x.x”
“描述:x”
我在哪里弄乱了输入路径?
是 '[]' 括号导致问题吗?
【问题讨论】:
标签: arrays json parsing amazon-cloudwatch amazon-cloudtrail