So I am trying to parse the description of the ET Rules which is downloaded as json.gz
So it should be a JSON file but it's not taking the default JSON sourcetype, it's showing it as one file.
The beginning of the file starts with a {
Its rule starts like this "2012742":{
And each rule ends like this: :"2012742"},
I have tried to do line breaks, indexed extractions=json
,
I thought BREAK_AFTER= },
But I am not good with regex and so it's not working.
Thanks for any assistance.
Thanks.
Using it to provide details on the the ET rules sets I use on sensors. Trying to tie in rules/usage/and details of the rules together. Hoping that it gives a better view of the total rule sets instead of just loading the newest ones. I want to see what they are, which are disabled, which are enabled, and what they do.
I have something like it being used for Snort Rules, just could not figure out how to use it for the ET Description. Will give this a try soon.
[ ET_json ]
CHARSET=UTF-8
INDEXED_EXTRACTIONS=none
KV_MODE=json
SHOULD_LINEMERGE=false
category=Structured
description=json
disabled=false
pulldown_type=true
LINE_BREAKER=(({|,)\"\d+\":){
SEDCMD-trim = s/}}/}/g
TRUNCATE=0
DATETIME_CONFIG=CURRENT
What do you use this data for? Please tell me.
creation date
is better for _time
,I think.
but you should modify indexes.conf
I don't know much about it, so I decided to stay in the present for now