Logstash XML file headers

Hi,

I'm parsing xml files coming from filebeat, with logstash.

I have a configuration that works fine, but it's not parsing the header and with the end of the files

One of the headers of a file:

   	<?xml version="1.0" encoding="UTF-8"?>
    <Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd">
     <Version>11.2</Version>
 <AuditRecord><Audit_Type>1</Audit_Type><Session_Id>0</Session_Id><StatementId>0</StatementId><EntryId>1</EntryId><Extended_Timestamp>2017-11-29T00:00:00.000000Z</Extended_Timestamp><DB_User>some</DB_User><OS_User>some</OS_User><Userhost>some</Userhost><OS_Process>0</OS_Process><Terminal>some</Terminal><Instance_Number>0</Instance_Number><Object_Schema>some</Object_Schema><Object_Name>some</Object_Name><Action>0</Action><TransactionId>0</TransactionId><Returncode>0</Returncode><Scn>0</Scn><DBID>0</DBID>
  <Sql_Text>some s>ql</Sql_Text>
  </AuditRecord>

I only need the info in the data of the tags in the AuditRecord tag

This is my .conf for logstash:

 input {
 beats {
     port => "5044"
 }
 }
 
 filter {
   xml {
 source => "message"
 xpath =>
 [
     "/AuditRecord/Audit_Type/text()", "AuditType",
     "/AuditRecord/Session_Id/text()", "SessionId",
     "/AuditRecord/StatementId/text()", "StatementId",
     "/AuditRecord/EntryId/text()", "EntryId",
     "/AuditRecord/Extended_Timestamp/text()", "ExtendedTimestamp",
     "/AuditRecord/DB_User/text()", "DB_User",
     "/AuditRecord/OS_User/text()", "OS_User",
     "/AuditRecord/Userhost/text()", "Userhost",
     "/AuditRecord/OS_Process/text()", "OS_Process",
     "/AuditRecord/Terminal/text()", "Terminal",
     "/AuditRecord/Instance_Number/text()", "InstanceNumber",
     "/AuditRecord/Object_Schema/text()", "ObjectSchema",
     "/AuditRecord/Object_Name/text()", "ObjectName",
     "/AuditRecord/Action/text()", "Action",
     "/AuditRecord/TransactionId/text()", "TransactionId",
     "/AuditRecord/Returncode/text()", "Returncode",
     "/AuditRecord/Scn/text()", "Scn",
     "/AuditRecord/Comment_Text/text()", "Comment_Text",
     "/AuditRecord/DBID/text()", "DBID",
     "/AuditRecord/Sql_Bind/text()", "SqlBind",
     "/AuditRecord/Sql_Text/text()", "Sql_Text"
 ]
 store_xml => false
   }
 }
 
 output {
 elasticsearch {
     hosts => [ "SomeEScluster:9200" ]
 }
 }

Any help to parse headers?

Thanks in advance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.