Hello everyone,
I have a problem when I'm trying to parse xml logs with Logstash.
Indeed, I installed and configured Filebeat on a CentOS 7 with Prelude SIEM installed. I am using Filebeat to transmit the xml logs from Prelude to ELK and am using Logstash to parse these logs.
Firstly, my configuration works when I do not apply a Logstash filter. I'm receiving unstructured logs which are visibles on my Kibana.
But when I am applying my following xml filter, Filebeat sends nothing:
filter
{
xml
{
source => "message"
xpath =>
[
"/Alert/Analyzer/Node/location/text()","Localisation",
"/Alert/Analyzer/Node/name/text()","Nom",
"/Alert/Analyzer/Node/Address/address/text()","AdresseIP",
"/Alert/Analyzer/Process/name/text()","Nom_manager",
"/Alert/Analyzer/Process/pid/text()","pid",
"/Alert/Analyzer/Process/path/text()","Chemin",
"/Alert/Analyzer/Analyzer/name/text()","Nom_de_la_sonde",
"/Alert/Analyzer/Analyzer/Node/address/text()","Adresse_sonde",
"/Alert/Assessment/Impact/text()","Alerte",
"/Alert/CreateTime/text(),"Date"
]
store_xml => true
}
}
You can see here an example of the xml logs I want to parse:
<?xml version="1.0" encoding="UTF-8"?>
<IDMEF-Message>
<Alert messageid="abf3f57c-a10b-11ea-b648">
<Analyzer analyzerid="915065842660167" name="prelude-manager" manufacturer="http://www.prelude-siem.com" model="Prelude Manager" version="5.1.0" class="Concentrator" ostype="Linux" osversion="3.10.0-1062.18.1.el7.x86_64">
<Node category="unknown">
<location>Apt35</location>
<name>SIEM IUT</name>
<Address category="ipv4-addr">
<address>127.0.0.1</address>
</Address>
</Node>
<Process>
<name>prelude-manager</name>
<pid>7448</pid>
<path>/usr/sbin/prelude-manager</path>
</Process>
<Analyzer analyzerid="3404278568268184" name="suricata" manufacturer="http://www.openinfosecfoundation.org/" model="Suricata" version="5.0.3" class="NIDS" ostype="Linux" osversion="4.18.0-147.el8.x86_64">
<Node category="unknown">
<location>Apt35</location>
<name>Suricata</name>
<Address category="ipv4-addr">
<address>192.168.1.73</address>
</Address>
</Node>
<Process>
<name />
<pid>3791</pid>
</Process>
</Analyzer>
</Analyzer>
<CreateTime ntpstamp="0xe27a7850.0xfb895000">2020-05-28T19:50:08.982564+02:00</CreateTime>
<DetectTime ntpstamp="0xe27a7850.0xfb78d000">2020-05-28T19:50:08.982312+02:00</DetectTime>
<AnalyzerTime ntpstamp="0xe27a7850.0xfb8aa000">2020-05-28T19:50:08.982584+02:00</AnalyzerTime>
<Source spoofed="unknown">
<Node category="unknown">
<Address category="ipv4-addr">
<address>192.168.1.73</address>
</Address>
</Node>
<Service ip_version="4" iana_protocol_number="6" iana_protocol_name="tcp">
<port>22</port>
</Service>
</Source>
<Target decoy="unknown">
<Node category="unknown">
<Address category="ipv4-addr">
<address>192.168.1.39</address>
</Address>
</Node>
<Service ip_version="4" iana_protocol_number="6" iana_protocol_name="tcp">
<port>51342</port>
</Service>
</Target>
<Classification ident="1:20001" text="">
<Reference origin="vendor-specific">
<name>1:20001</name>
<url>http://www.snort.org/search/sid/1-20001</url>
</Reference>
</Classification>
<Assessment>
<Impact severity="low" type="other">Connexion SSH</Impact>
</Assessment>
<AdditionalData type="string" meaning="proto_version">
<string>2.0</string>
</AdditionalData>
<AdditionalData type="string" meaning="software_version">
<string>OpenSSH_7.4</string>
</AdditionalData>
<AdditionalData type="integer" meaning="snort_rule_sid">
<integer>20001</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="snort_rule_rev">
<integer>0</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_ver">
<integer>4</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_hlen">
<integer>5</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_tos">
<integer>0</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_len">
<integer>52</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_id">
<integer>24456</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_off">
<integer>16384</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_ttl">
<integer>64</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_proto">
<integer>6</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="ip_sum">
<integer>22395</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_seq">
<integer>2344515842</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_ack">
<integer>3437736295</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_off">
<integer>8</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_res">
<integer>0</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_flags">
<integer>16</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_win">
<integer>227</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_sum">
<integer>33767</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_urp">
<integer>0</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_tsval">
<integer>2391167528</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_tsecr">
<integer>7204170</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_wscale">
<integer>0</integer>
</AdditionalData>
<AdditionalData type="integer" meaning="tcp_hlen">
<integer>32</integer>
</AdditionalData>
</Alert>
</IDMEF-Message>
And here you can see the only 2 packets that appear on Wireshark when Filebeat "sends" logs to Logstash:
Don't hesitate to tell me if you need additionnal informations.
I hope you can help me to resolve my issue
Thank you!