I'm trying to split XML file in multiple events. Here's a sample input:
<Report>
<ReportHost name="1">
<HostProperties>
<tag name="os">linux</tag>
<tag name="operating-sys">Linux Kernel 2.6</tag>
</HostProperties>
<ReportItem port="0" protocol="tcp">
<description> This is a teeeest </description>
<solution>n/a</solution>
</ReportItem>
<ReportItem port="8834" protocol="tcp">
<description>Wrong CSP</description>
<solution>Stop lieing</solution>
</ReportItem>
</ReportHost>
<ReportHost name="2">
<HostProperties>
<tag name="os">windows</tag>
<tag name="operating-system">Windows Server 2016</tag>
</HostProperties>
<ReportItem port="445" protocol="tcp">
<description>teeeeeeeeeeest</description>
<solution>WU</solution>
</ReportItem>
<ReportItem port="0" protocol="tcp">
<description>TESTnana</description>
<solution>n/a</solution>
</ReportItem>
</ReportHost>
</Report>
I indexed single ReportItem events as followed:
input {
file {
path => "/home/test/test.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "<ReportItem"
negate => "true"
what => "previous"
}
}
}
filter {
xml {
source => "message"
xpath => [
"/ReportItem/@port","port",
"/ReportItem/@protocol", "protocol",
"//description/text()", "description",
"//solution/text()", "solution",
]
}
}
output {
stdout { }
}
What is the best way to index to every event the HostProperties element? How is it possible to address every single tag element?
Best regards