1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Deployment

Custom Plugin - Parse with JSON

Updated

On a log sample that comes in JSON type, we can proceed by selecting the patterns as below and assigning them to the fields we want.

Event Mapping

We need to get reference from the link below about the mapping part.

Log Message List

The values we write in the mapping section that we will select as static come to all logs.

However, when we select File and throw a json file with the appropriate structure inside, we can make more comprehensive mapping.

First of all, we need to select the value that can be mapped in the log and assign that value as a field.

In this scenario, the field we will use for our mapping is Event.Category.

We need to create an eventmap.json file on our computer and write the data that can come in the Event.Category we have specified in it.

Log samples;

 

Scan Activity > 

{"timestamp":"2024-10-30T10:01","source_ip":"1.1.1.44","category":"Scan Activity","process":"sapd_123123","process_id":8634,"event_code":33312,"severity":"NOTI","source":"AP Logsign-Turkey@1.1.1.77 sapd","device_type":"ap","zone":"zone0","message_type":"ERROR","destination_ip":"10.10.0.10","tunnel":"none","error_code":"RC_ERROR_IKEP1"}

 

Web Access Allow >

{"timestamp":"2024-10-30T15:45","source_ip":"2.2.2.55","category":"Web Access Allow","process":"httpd_456789","process_id":4321,"event_code":54321,"severity":"INFO","source":"AP WebServer@2.2.2.55 httpd","device_type":"firewall","zone":"zone1","message_type":"ALLOW","destination_ip":"192.168.1.100","tunnel":"vpn0","error_code":"NO_ERROR"}

In this case, a mapping file can be prepared as follows.

{

      "Scan Activity": {

        "EventMap.Context": "Security",

        "EventMap.Type": "Scan",

        "EventMap.SubType": "Info"

      },

      "Web Access Allow": {

       "EventMap.Context": "Network",

       "EventMap.Type": "Session",

       "EventMap.SubType": "Allow"

        }

}

In the log that comes in the form of Scan Activity in this prepared file, it will make mapping as follows.

When I change the log and test again, you can see that the mapping has changed.

The only thing to be considered in the mapping section is to write the variables in the field you have selected to the file named eventmap.json. While making these assignments, you need to reference the excel named Log Message List.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.