We are trying to extract a couple fields via filters from within the nested 'messages' section of a Windows Event Log. Below is the nested info from event_data.param2 :
<?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
<AuditType>ExtranetLockout</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>ExtranetLockoutError</FailureType>
<ErrorCode>AccountRestrictedAudit</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>N/A</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>TEST\GuiltyUser</UserId>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>N/A</Server>
<AuthProtocol>N/A</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>172.2.3.4,172.6.7.8</IpAddress>
<ForwardedIpAddress>172.9.0.1,172.10.1.45</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>OurServer</ProxyServer>
<UserAgentString>N/A</UserAgentString>
<Endpoint>/adfs/services/trust/2005/usernamemixed</Endpoint>
</Component>
<Component xsi:type="LockoutConfigAuditComponent">
<CurrentBadPasswordCount>1</CurrentBadPasswordCount>
<ConfigBadPasswordCount>1</ConfigBadPasswordCount>
<LastBadAttempt>10/30/2018 16:38:47</LastBadAttempt>
<LockoutWindowConfig>00:20:00</LockoutWindowConfig>
</Component>
We are trying to pull out the following nested fields
ForwardedIpAddress and UserId
We are trying to filter the data and have:
extranet
filter {
if "wineventlog" in [tags] and [event_id] == 1210 {
xml {
source => "event_data.param2"
store_xml => false
xpath => ["/AuditBase/ContextComponents/Component/ForwardedIpAddress/text()","ForwardedIp"]
}
}
}
Xpath path works in an online generator and extracts the IP 172.9.0.1,172.10.1.45 but this never happens in Logstash...Any thoughts on how to make this work. Ideally we want to extra just the 172.9.0.1 (the first IP address)
thx
Dave