I am trying to parse Microsoft Active Directory which is completely in XML format. Below is the example of the logs. Here is link to log
Below is my config file
filter {
grok
{
match => [ "message", "%{TIMESTAMP_ISO8601:syslog_ts}?\|\|%{NONNEGINT:syslog_cat}\|\|%{NONNEGINT:syslog_severity}\|\|%{IP:syslog_src}?\|\|%{DATA:info}:%{SPACE}%{GREEDYDATA:XML_Message}" ]
match => [ "message", "^%{TIMESTAMP_ISO8601:syslog_ts}?\|\|%{NONNEGINT:syslog_cat}\|\|%{NONNEGINT:syslog_severity}\|\|%{IP:syslog_src}?\|\|%{DATA:info}:%{SPACE}%{GREEDYDATA:XML_Message}" ]
match => [ "message", "^%{TIMESTAMP_ISO8601:syslog_ts}?\|\|%{NONNEGINT:syslog_cat}\|\|%{NONNEGINT:syslog_severity}\|\|%{IP:syslog_src}?\|\|%{DATA:info}:%{SPACE}%{GREEDYDATA:XML_Message}" ]
}
xml
{
source => "XML_Message"
target => "parsed_xml"
force_array => false
suppress_empty => false
}
# NEED TO EXRACT DATA FROM EVENTDATA
if [parsed_xml][EventData] == 5156
{
grok
{
match => [ "[parsed_xml][EventData]", "^(?<Message2>([^#]*))Application Information:Process ID:%{DATA:process_id}Application Name:%{DATA:application_name}Network Information:Direction:%{USERNAME:direction}Source Address:%{IP:source_adddress}Source Port:%{NUMBER:source_port}Destination Address:%{IP:destination_ip}Destination Port:%{NUMBER:destination_port}Protocol:%{USERNAME:protocol}Filter Information:Filter Run-Time ID:%{USERNAME:filter_run_time_id}Layer Name:%{DATA:layer_name}Layer Run-Time ID:%{NUMBER:layer_run_time_id}" ]
}
}
}
The issue I am having is that I need to parse fields from <EventData> as well but I am not able to access it. i am not getting any fields in kibana and there is no_grokparsefailure as well.
i am using IF loop to access fields based on event id but nothing is getting extracted.
So how do I access XML fields and further process it using GROK?