Extract field from Messages section of Windows Event Log

We are trying to extract a couple fields via filters from within the nested 'messages' section of a Windows Event Log. Below is the nested info from event_data.param2 :

<?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ExtranetLockoutAudit">
  <AuditType>ExtranetLockout</AuditType>
  <AuditResult>Failure</AuditResult>
  <FailureType>ExtranetLockoutError</FailureType>
  <ErrorCode>AccountRestrictedAudit</ErrorCode>
  <ContextComponents>
<Component xsi:type="ResourceAuditComponent">
  <RelyingParty>N/A</RelyingParty>
  <ClaimsProvider>N/A</ClaimsProvider>
  <UserId>TEST\GuiltyUser</UserId>
</Component>
<Component xsi:type="RequestAuditComponent">
  <Server>N/A</Server>
  <AuthProtocol>N/A</AuthProtocol>
  <NetworkLocation>Extranet</NetworkLocation>
  <IpAddress>172.2.3.4,172.6.7.8</IpAddress>
  <ForwardedIpAddress>172.9.0.1,172.10.1.45</ForwardedIpAddress>
  <ProxyIpAddress>N/A</ProxyIpAddress>
  <NetworkIpAddress>N/A</NetworkIpAddress>
  <ProxyServer>OurServer</ProxyServer>
  <UserAgentString>N/A</UserAgentString>
  <Endpoint>/adfs/services/trust/2005/usernamemixed</Endpoint>
</Component>
<Component xsi:type="LockoutConfigAuditComponent">
  <CurrentBadPasswordCount>1</CurrentBadPasswordCount>
  <ConfigBadPasswordCount>1</ConfigBadPasswordCount>
  <LastBadAttempt>10/30/2018 16:38:47</LastBadAttempt>
  <LockoutWindowConfig>00:20:00</LockoutWindowConfig>
</Component>

We are trying to pull out the following nested fields

ForwardedIpAddress and UserId

We are trying to filter the data and have:

extranet

filter {
if "wineventlog" in [tags] and [event_id] == 1210 {

xml {
source => "event_data.param2"
store_xml => false
xpath => ["/AuditBase/ContextComponents/Component/ForwardedIpAddress/text()","ForwardedIp"]
}
}
}

Xpath path works in an online generator and extracts the IP 172.9.0.1,172.10.1.45 but this never happens in Logstash...Any thoughts on how to make this work. Ideally we want to extra just the 172.9.0.1 (the first IP address)

thx

Dave

It may be best to ask this question on the Logstash forum here https://discuss.elastic.co/c/logstash . This use case should work, but I don't have expertise with the XML filter.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.