Logstash XML parsing issue

Hello everyone,

I have a problem when I'm trying to parse xml logs with Logstash.

Indeed, I installed and configured Filebeat on a CentOS 7 with Prelude SIEM installed. I am using Filebeat to transmit the xml logs from Prelude to ELK and am using Logstash to parse these logs.

Firstly, my configuration works when I do not apply a Logstash filter. I'm receiving unstructured logs which are visibles on my Kibana.

But when I am applying my following xml filter, Filebeat sends nothing:

filter 
  {
    xml 
      {
        source => "message"
        xpath => 
		[
		
		"/Alert/Analyzer/Node/location/text()","Localisation",
		"/Alert/Analyzer/Node/name/text()","Nom",		
		"/Alert/Analyzer/Node/Address/address/text()","AdresseIP",
		"/Alert/Analyzer/Process/name/text()","Nom_manager",
		"/Alert/Analyzer/Process/pid/text()","pid",
		"/Alert/Analyzer/Process/path/text()","Chemin",
		"/Alert/Analyzer/Analyzer/name/text()","Nom_de_la_sonde",
		"/Alert/Analyzer/Analyzer/Node/address/text()","Adresse_sonde",
		"/Alert/Assessment/Impact/text()","Alerte",
		"/Alert/CreateTime/text(),"Date"

		]
        store_xml => true
      }
}

You can see here an example of the xml logs I want to parse:

<?xml version="1.0" encoding="UTF-8"?>
<IDMEF-Message>
   <Alert messageid="abf3f57c-a10b-11ea-b648">
      <Analyzer analyzerid="915065842660167" name="prelude-manager" manufacturer="http://www.prelude-siem.com" model="Prelude Manager" version="5.1.0" class="Concentrator" ostype="Linux" osversion="3.10.0-1062.18.1.el7.x86_64">
         <Node category="unknown">
            <location>Apt35</location>
            <name>SIEM IUT</name>
            <Address category="ipv4-addr">
               <address>127.0.0.1</address>
            </Address>
         </Node>
         <Process>
            <name>prelude-manager</name>
            <pid>7448</pid>
            <path>/usr/sbin/prelude-manager</path>
         </Process>
         <Analyzer analyzerid="3404278568268184" name="suricata" manufacturer="http://www.openinfosecfoundation.org/" model="Suricata" version="5.0.3" class="NIDS" ostype="Linux" osversion="4.18.0-147.el8.x86_64">
            <Node category="unknown">
               <location>Apt35</location>
               <name>Suricata</name>
               <Address category="ipv4-addr">
                  <address>192.168.1.73</address>
               </Address>
            </Node>
            <Process>
               <name />
               <pid>3791</pid>
            </Process>
         </Analyzer>
      </Analyzer>
      <CreateTime ntpstamp="0xe27a7850.0xfb895000">2020-05-28T19:50:08.982564+02:00</CreateTime>
      <DetectTime ntpstamp="0xe27a7850.0xfb78d000">2020-05-28T19:50:08.982312+02:00</DetectTime>
      <AnalyzerTime ntpstamp="0xe27a7850.0xfb8aa000">2020-05-28T19:50:08.982584+02:00</AnalyzerTime>
      <Source spoofed="unknown">
         <Node category="unknown">
            <Address category="ipv4-addr">
               <address>192.168.1.73</address>
            </Address>
         </Node>
         <Service ip_version="4" iana_protocol_number="6" iana_protocol_name="tcp">
            <port>22</port>
         </Service>
      </Source>
      <Target decoy="unknown">
         <Node category="unknown">
            <Address category="ipv4-addr">
               <address>192.168.1.39</address>
            </Address>
         </Node>
         <Service ip_version="4" iana_protocol_number="6" iana_protocol_name="tcp">
            <port>51342</port>
         </Service>
      </Target>
      <Classification ident="1:20001" text="">
         <Reference origin="vendor-specific">
            <name>1:20001</name>
            <url>http://www.snort.org/search/sid/1-20001</url>
         </Reference>
      </Classification>
      <Assessment>
         <Impact severity="low" type="other">Connexion SSH</Impact>
      </Assessment>
      <AdditionalData type="string" meaning="proto_version">
         <string>2.0</string>
      </AdditionalData>
      <AdditionalData type="string" meaning="software_version">
         <string>OpenSSH_7.4</string>
      </AdditionalData>
      <AdditionalData type="integer" meaning="snort_rule_sid">
         <integer>20001</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="snort_rule_rev">
         <integer>0</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_ver">
         <integer>4</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_hlen">
         <integer>5</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_tos">
         <integer>0</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_len">
         <integer>52</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_id">
         <integer>24456</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_off">
         <integer>16384</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_ttl">
         <integer>64</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_proto">
         <integer>6</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="ip_sum">
         <integer>22395</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_seq">
         <integer>2344515842</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_ack">
         <integer>3437736295</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_off">
         <integer>8</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_res">
         <integer>0</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_flags">
         <integer>16</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_win">
         <integer>227</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_sum">
         <integer>33767</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_urp">
         <integer>0</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_tsval">
         <integer>2391167528</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_tsecr">
         <integer>7204170</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_wscale">
         <integer>0</integer>
      </AdditionalData>
      <AdditionalData type="integer" meaning="tcp_hlen">
         <integer>32</integer>
      </AdditionalData>
   </Alert>
</IDMEF-Message>

And here you can see the only 2 packets that appear on Wireshark when Filebeat "sends" logs to Logstash:

Don't hesitate to tell me if you need additionnal informations.

I hope you can help me to resolve my issue :slight_smile:

Thank you!

Hello,

I finally found my errors : I did not set a target function and I made a mistake on the last line of xpath forgetting a quotation mark ^^

filter 
  {
    xml 
      {
        source => "message"
 	target => "log_filtre"
        store_xml => true
        xpath => 
		[
		
		"/Alert/Analyzer/Node/location/text()","Localisation",
		"/Alert/Analyzer/Node/name/text()","Nom",		
		"/Alert/Analyzer/Node/Address/address/text()","AdresseIP",
		"/Alert/Analyzer/Process/name/text()","Nom_manager",
		"/Alert/Analyzer/Process/pid/text()","pid",
		"/Alert/Analyzer/Process/path/text()","Chemin",
		"/Alert/Analyzer/Analyzer/name/text()","Nom_de_la_sonde",
		"/Alert/Analyzer/Analyzer/Node/address/text()","Adresse_sonde",
		"/Alert/Assessment/Impact/text()","Alerte",
		"/Alert/CreateTime/text()","Date"

		]

      }
}

It works now :grinning:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.