Hi,
I'm parsing xml files coming from filebeat, with logstash.
I have a configuration that works fine, but it's not parsing the header and with the end of the files
One of the headers of a file:
<?xml version="1.0" encoding="UTF-8"?>
<Audit xmlns="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/dbserver_audittrail-11_2.xsd">
<Version>11.2</Version>
<AuditRecord><Audit_Type>1</Audit_Type><Session_Id>0</Session_Id><StatementId>0</StatementId><EntryId>1</EntryId><Extended_Timestamp>2017-11-29T00:00:00.000000Z</Extended_Timestamp><DB_User>some</DB_User><OS_User>some</OS_User><Userhost>some</Userhost><OS_Process>0</OS_Process><Terminal>some</Terminal><Instance_Number>0</Instance_Number><Object_Schema>some</Object_Schema><Object_Name>some</Object_Name><Action>0</Action><TransactionId>0</TransactionId><Returncode>0</Returncode><Scn>0</Scn><DBID>0</DBID>
<Sql_Text>some s>ql</Sql_Text>
</AuditRecord>
I only need the info in the data of the tags in the AuditRecord tag
This is my .conf for logstash:
input {
beats {
port => "5044"
}
}
filter {
xml {
source => "message"
xpath =>
[
"/AuditRecord/Audit_Type/text()", "AuditType",
"/AuditRecord/Session_Id/text()", "SessionId",
"/AuditRecord/StatementId/text()", "StatementId",
"/AuditRecord/EntryId/text()", "EntryId",
"/AuditRecord/Extended_Timestamp/text()", "ExtendedTimestamp",
"/AuditRecord/DB_User/text()", "DB_User",
"/AuditRecord/OS_User/text()", "OS_User",
"/AuditRecord/Userhost/text()", "Userhost",
"/AuditRecord/OS_Process/text()", "OS_Process",
"/AuditRecord/Terminal/text()", "Terminal",
"/AuditRecord/Instance_Number/text()", "InstanceNumber",
"/AuditRecord/Object_Schema/text()", "ObjectSchema",
"/AuditRecord/Object_Name/text()", "ObjectName",
"/AuditRecord/Action/text()", "Action",
"/AuditRecord/TransactionId/text()", "TransactionId",
"/AuditRecord/Returncode/text()", "Returncode",
"/AuditRecord/Scn/text()", "Scn",
"/AuditRecord/Comment_Text/text()", "Comment_Text",
"/AuditRecord/DBID/text()", "DBID",
"/AuditRecord/Sql_Bind/text()", "SqlBind",
"/AuditRecord/Sql_Text/text()", "Sql_Text"
]
store_xml => false
}
}
output {
elasticsearch {
hosts => [ "SomeEScluster:9200" ]
}
}
Any help to parse headers?
Thanks in advance.