问题描述
我正在尝试转换以下 JSON 日志:(AWS CloudWatch/Trail 如果重要)
{
"eventVersion": "1.08","userIdentity": {
"type": "IAMUser","principalId": "xxx","arn": "arn:aws:iam::xxx","accountId": "xxx","accessKeyId": "xxx","userName": "xxx","sessionContext": {
"sessionIssuer": {},"webIdFederationData": {},"attributes": {
"mfaAuthenticated": "true","creationDate": "2021-01-07T13:50:07Z"
}
}
},"eventTime": "2021-01-07T14:55:03Z","eventSource": "ec2.amazonaws.com","eventName": "AuthorizeSecurityGroupIngress","awsRegion": "us-east-1","sourceIPAddress": "xxx","userAgent": "console.ec2.amazonaws.com","requestParameters": {
"groupId": "sg-xxx","ipPermissions": {
"items": [
{
"ipProtocol": "tcp","fromPort": 22,"toPort": 22,"groups": {},"ipRanges": {
"items": [
{
"cidrIp": "x.x.x.x/32"
"description": "x"
}
]
},"ipv6Ranges": {},"prefixListIds": {}
}
]
}
},"responseElements": {
"requestId": "xxx","_return": true
},"requestID": "xxx","eventID": "xxx","readOnly": false,"eventType": "AwsApiCall","managementEvent": true,"eventCategory": "Management","recipientAccountId": "xxx"
}
到以下输出:
“对来自 [[email protected]] 的 [accountname] 上的 sg-xxx 进行 AuthorizeSecurityGroupIngress”
“端口范围:22”
“源IP:x.x.x.x”
“描述:x”
目前,通过将这 2 个块传递到 CloudWatch 输入转换器:
{
"event":"$.detail.eventName","sg":"$.detail.requestParameters.groupId","user":"$.detail.userIdentity.userName","sourceip":"$.detail.sourceIPAddress","dsc":"$.detail.requestParameters.ipPermissions.items"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Details: <dsc>"
我能够创建以下输出:
“对来自 [[email protected]] 的 [accountname] 上的 sg-xxx 进行授权安全组入口”
"详情:{items:[{ipProtocol:tcp,fromPort:22,toPort:22,groups:{},ipRanges:{items:[{cidrIp:xxxx/32,description:x}]},ipv6Ranges: {},prefixListIds:{}}]}"
但是,当我尝试通过传递更具体的占位符来进一步指定输入路径时:
{
"event":"$.detail.eventName","prt":"$.detail.requestParameters.ipPermissions.items.toPort","src":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.cidrIp","dsc":"$.detail.requestParameters.ipPermissions.items.ipRanges.items.description"
}
"<event> made against <sg> on [accountname] from [<user>@<sourceip>]"
"Port Range: <prt>"
"Source IP: <src>"
"Description: <dsc>"
占位符的 (prt,src,dsc) 值的输出为空白:
“对来自 [[email protected]] 的 [accountname] 上的 sg-xxx 进行 AuthorizeSecurityGroupIngress”
"端口范围:"
“源IP:”
“说明:”
VS。预期
“对来自 [[email protected]] 的 [accountname] 上的 sg-xxx 进行 AuthorizeSecurityGroupIngress”
“端口范围:22”
“源IP:x.x.x.x”
“描述:x”
我在哪里搞砸了输入路径?
是否是“[]”括号导致了问题?
解决方法
在两个地方,您的 JSON 有一个 items 数组,但您的代码将它们视为对象。您需要调出要从中提取属性的数组元素:
"prt":"$.detail.requestParameters.ipPermissions.items[0].toPort","src":"$.detail.requestParameters.ipPermissions.items[0].ipRanges.items[0].cidrIp","dsc":"$.detail.requestParameters.ipPermissions.items[0].ipRanges.items[0].description"