From XML to an index

Elastic Stack Logstash
1

Hi all,

what is the simplest and most automatic way to load an index from an XML file containing many entries?

The file looks like this:

<Events>
<Event xmlns="``http://schemas.microsoft.com/win/2004/08/events/event``"><System><Provider Name="Service Control Manager" Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control Manager"></Provider>
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2024-09-13 10:07:49.771505"></TimeCreated>
<EventRecordID>175226</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="660" ThreadID="5840"></Execution>
<Channel>System</Channel>
<Computer>XXXXXXX.itmaster.local</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="param1">Smart Card</Data>
<Data Name="param2">running</Data>
<Binary>UwBDAGEAcgBkAFMAdgByAC8ANAAAAA==</Binary>
</EventData>
</Event>
<Events>

Obviously there are more Event entries.

Thanks for your help

2

You can use something like this:

input {
  file {
   path => "/path/yourXMLsample.xml"
   start_position => beginning
   sincedb_path => "/dev/null" # Win sincedb_path => "NUL" 
   codec => multiline
      {
         pattern => '^<Events>'
         negate => true
         what => previous
         auto_flush_interval => 1
         multiline_tag => ""
      }
   }
} 
filter {
	xml {
		   source => "message" 
		   target => "doc"
		   id => "xml"
	} 

  mutate{   remove_field => [ "log", "event", "host"] }

}
output {
    stdout { codec => rubydebug{} }
}

You must end with correct tag: < /Events>

1 Like