Not sure that would work. My current pipeline ingests the XML document and then uses the xml filter on the message field to parse out the different fields. Since <statement><field1><field2></field2></field1></statement>
is on it's own line, the XML filter sees it as a single event. I'd gladly rearrange things if it's possible to make this work though.
input {
file {
id => "Ingest"
path => "C:/DMARC/*.xml"
codec => multiline {
negate => true
pattern => "<record>"
what => "previous"
}
}
}
filter {
xml {
id => "Parse"
force_array => true
store_xml => false
source => "message"
xpath => [
"feedback/report_metadata/org_name/text()", "report.org",
"feedback/report_metadata/email/text()", "report.org_contact",
"feedback/report_metadata/extra_contact_info/text()", "report.additional_contact",
"feedback/report_metadata/report_id/text()", "report.id",
"feedback/report_metadata/date_range/begin/text()", "report.start",
"feedback/report_metadata/date_range/end/text()", "report.end",
"feedback/policy_published/domain/text()", "policy.domain",
"feedback/policy_published/aspf/text()", "policy.spf_mode",
"feedback/policy_published/adkim/text()", "policy.dkim_mode",
"feedback/policy_published/p/text()", "policy.dmarc.domain_action",
"feedback/policy_published/sp/text()", "policy.dmarc.subdomain_action",
"feedback/policy_published/pct/text()", "policy.percentage",
"record/row/source_ip/text()", "email.source_ip",
"record/row/count/text()", "email.count",
"record/row/policy_evaluated/disposition/text()", "email.dmarc_action",
"record/row/policy_evaluated/spf/text()", "email.spf_evaluation",
"record/row/policy_evaluated/dkim/text()", "email.dkim_evaluation",
"record/row/policy_evaluated/reason/type/text()", "dmarc.override_type",
"record/row/policy_evaluated/reason/comment/text()", "dmarc.override_comment",
"record/identifiers/envelope_to/text()", "email.envelope_to",
"record/identifiers/envelope_from/text()", "email.envelope_from",
"record/identifiers/header_from/text()", "email.header_from",
"record/auth_results/dkim/domain/text()", "authresult.dkim_domain",
"record/auth_results/dkim/result/text()", "authresult.dkim_result",
"record/auth_results/spf/domain/text()", "authresult.spf_domain",
"record/auth_results/spf/scope/text()", "authresult.spf_scope",
"record/auth_results/spf/result/text()", "authresult.spf_result"
]
}
}
}