
I have a json log of modsecurity nginx. I have sent it to Elasticsearch. Now I want write a python script to get data from Elasticsearch and use this to trigger Zabbix monitor.

But I am confused with this. Here is my data when I get it to Elasticsearch

curl -X GET "localhost:9200/modsecurity_*/_search?size=1&pretty"


  "took" : 0,
  "timed_out" : false,
  "_shards" : {
  "total" : 1,
  "successful" : 1,
  "skipped" : 0,
  "failed" : 0
    "hits" : {
    "total" : {
    "value" : 6850,
    "relation" : "eq"
"max_score" : 1.0,
"hits" : [
    "_index" : "modsecurity_20200316",
    "_type" : "modsecurity",
    "_id" : "A-1n4nABQLLqq2S26hS0",
    "_score" : 1.0,
    "_source" : {
      "client_ip" : "",
      "producer" : {
        "connector" : "ModSecurity-nginx v1.0.1",
        "components" : [
        "modsecurity" : "ModSecurity v3.0.4 (Linux)",
        "secrules_engine" : "Enabled"
      "host_port" : 80,
      "request" : {
        "body" : "<!--#include virtual=\"/index.jsp\"-->",
        "http_version" : 1.1,
        "headers" : {
          "content-length" : "36",
          "host" : "localhost",
          "user-agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
          "connection" : "Keep-Alive",
          "content-type" : "application/x-www-form-urlencoded"
        "method" : "GET",
        "uri" : "/Excel/"
      "server_id" : "c46580787c35fc368143d376c8f037e2e63514e4",
      "host_ip" : "",
      "client_port" : 48100,
      "unixts" : 1584346386925,
      "msg" : {
        "severity" : [
        "tags" : [
        "ruleid" : [
        "file" : [
        "linenumber" : [
        "message" : [
          "GET or HEAD Request with Body Content.",
          "Node-Validator Blacklist Keywords",
          "Inbound Anomaly Score Exceeded (Total Score: 15)"
        "data" : [
          "Matched Data: --> found within ARGS:<!--#include virtual: \"/index.jsp\"-->",
        "match" : [
          "Matched \"Operator `Rx' with parameter `^0?$' against variable `REQUEST_HEADERS:Content-Length' (Value: `36' )",
          "Matched \"Operator `Pm' with parameter `document.cookie document.write .parentnode .innerhtml window.location -moz-binding <!-- --> <![cdata[' against variable `ARGS:<!--#include virtual' (Value: `\"/index.jsp\"-->' )",
          "Matched \"Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `15' )"
      "time_stamp" : "Mon Mar 16 15:13:06 2020",
      "response" : {
        "body" : "<html>\r\n<head><title>403 Forbidden</title></head>\r\n<body>\r\n<center><h1>403 Forbidden</h1></center>\r\n<hr><center>nginx/1.17.8</center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n",
        "headers" : {
          "date" : "Mon, 16 Mar 2020 08:13:06 GMT",
          "content-length" : "555",
          "content-type" : "text/html",
          "connection" : "keep-alive",
          "server" : "nginx/1.17.8"
        "http_code" : 403
      "unique_id" : "158434638692.527282"

I want to get this content of tags

"tags" : [
Easy way in Python using json module

import json

If your result return type as Dict


and if your result return as String


It will get tag in first result

Easy way in Elasticsearch to get only tag from search query

curl -XGET "http://localhost:9200/modsecurity_*/_search" -H 'Content-Type: application/json' -d'{  "size": 1,   "_source": ["msg.tags"],  "query": {"match_all": {}}}'

May be help (^^)

    Hi, If I want only tags[3] value. How to edit your elasticsearch query? curl -XGET "http://localhost:9200/modsecurity_*/_search" -H 'Content-Type: application/json' -d'{ "size": 1, "_source": ["msg.tags"], "query": {"match_all": {}}}'. In this case tags[3] value is attack-protocol – nistelrooy41001662 Mar 17 '20 at 07:53
  • If you mean how to query tag that contain "attack-protocol" using curl -XGET "localhost:9200/modsecurity_*/_search" -H 'Content-Type: application/json' -d'{ "size": 1, "_source": ["msg.tags"], "query": {{"match_phrase": { "msg.tags": "attack-protocol" }}}' – LOLiCON Na Mar 17 '20 at 09:04
  • I mean respone only "attack-protocol", please. – nistelrooy41001662 Mar 17 '20 at 09:05
  • I add more '{' after '"query": {' just delete it one. And I don't know how to get only one value from query. I usually use another program to get only one value, like loop check and get value – LOLiCON Na Mar 17 '20 at 09:31