Hello.
We get JSON/LEEF from ESES ERA(7.x).
I've tried to parse JSON event using Config - Log Parser Rules.
I've created new parser and clean JSON parses well, but the problem is that logs we get are partially text and then JSON. Thats's why it can't parse this events, I suppose.
The logs we get a such this:
1 2021-07-07T04:11:01.229Z eset-new ERAServer 3336 - - {"event_type":"FilteredWebsites_Event","ipv4":"192.168.1.1","hostname":"pc8","source_uuid":"8264bb96-e040-4d96-9bd8-acb5f9aa0f86","occured":"07-Jul-2021 04:10:48","severity":"Information","event":"An attempt to connect to URL","target_address":"192.168.1.1","target_address_type":"IPv4","scanner_id":"HTTP filter","action_taken":"blocked","object_uri":"http://dl.delivery.mp.microsoft.com","hash":"B3D7C886DC6607A50874E0ECF2B90CFC3C4B57B8","username":"NT AUTHORITY\\NETWORK SERVICE","processname":"C:\\Windows\\System32\\svchost.exe","rule_id":"Blocked by user's blacklist"}
If remove the text in the top of log, JSON parses well and I cat to map this new parser, but it doesn't work.
