Hi all
I am trying to parse McFee EPO logs using logstash. I am using the combination of grok and XML filter to parse the log. In the input data set there are few \ within the XML part so I am not able to parse the log in an expected manner.
I tried Trim and Gsub processors. still, I am getting some errors. Please advise me on this
i am adding my filter and input XML part, the error message that I am getting now.
<29>1 2020-01-30T06:50:37.0Z HOVMSMAV1 EPOEvents - EventFwd [agentInfo@3401 tenantId="1" bpsId="1" tenantGUID="{00000000-0000-0000-0000-000000000000}" tenantNodePath="1\2"] <?xml version=\"1.0\" encoding=\"UTF-8\"?>
[ERROR] 2020-01-30 16:49:54.513 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 20, column 18 (byte 297) after filter {\n kv {\n source => "message"\n remove_char_value => "\\"\n}\n}\n\noutput {\nstdout { codec => rubydebug }\nelasticsearch {\n hosts => ["", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/RubyArray.java:2486:in map'", "/usr/share/logstash/logstash-
filter {
grok {
match => { "message" => '%{SYSLOG5424LINE}' }
}
mutate {
gsub => ["syslog5424_msg","\\",'"']
}
xml {
source => "syslog5424_msg"
store_xml => false
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.