Logstash XML parsing issues - trying to send to Graylog

Hi,

I would like to parse some NetApp CIFS share audit log XML files, but they are an ugly format that I don't have control over (below):

<Event>
	<System>
		<Provider Name="NetApp-Security-Auditing" Guid="{********}"/>
		<EventID>4663</EventID>
		<EventName>Get Object Attributes</EventName>
		<Version>101.2</Version>
		<Source>CIFS</Source>
		<Level>0</Level>
		<Opcode>0</Opcode>
		<Keywords>0x8020000000000000</Keywords>
		<Result>Audit Success</Result>
		<TimeCreated SystemTime="2019-07-29T20:17:56.625219000Z"/>
		<Correlation/>
		<Channel>Security</Channel>
		<Computer>********</Computer>
		<ComputerUUID>********</ComputerUUID>
		<Security/>
	</System>
	<EventData>
		<Data Name="SubjectIP" IPVersion="4">********</Data>
		<Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data>
		<Data Name="SubjectUserSid">********</Data>
		<Data Name="SubjectUserIsLocal">false</Data>
		<Data Name="SubjectDomainName">********</Data>
		<Data Name="SubjectUserName">********</Data>
		<Data Name="ObjectServer">Security</Data>
		<Data Name="ObjectType">Directory</Data>
		<Data Name="HandleID">00000000000511;00;0002fd34;687fe433</Data>
		<Data Name="ObjectName">********</Data>
		<Data Name="InformationRequested">File Type; File Size; Created Time; Last Accessed Time; Last Metadata Modfied Time; Last Modified Time; Allocation size; Delete on last close; </Data>
	</EventData>
</Event>

If I do the following config, it will output fine in stdout, but not in Graylog

input {
  file {
    path => "/tmp/cifs_audit/audit_D2019-07-29-T20-18-04_0000000000.xml"
    start_position => "beginning"
    type => "cifs_xml"
  }
}

filter {
  xml {
    source => "message"
    target => "xml_content"
    remove_namespaces => true
    store_xml => true
    force_array => false
  }
}

output {
  if [type] == "cifs_xml" {
    gelf {
      host => "graylog.host"
      port => 12201
    }
  }
}

it will output the System and EventData keys into fields in Graylog with JSON-like content, but none of the sub-fields.

We tried xpath configurations, but it would break Logstash with various Ruby errors before we could even get messages.

So, any suggestions on how to parse the XML pasted above so that it can be field:value in Graylog? Thank you in advance!

Just updating, I was able to get it working with this config:

input {
  file {
    path => "/tmp/cifs_audit/audit_*****_D2019-07-29-T20-18-04_0000000000.xml"
    start_position => "beginning"
    type => "cifs_xml"
  }
}

filter {
  xml {
    source => "message"
    target => "xml_content"
    remove_namespaces => true
    store_xml => true
    force_array => false
    xpath => [ "/Event/System/EventID/text()", "System.EventID" ]
    xpath => [ "/Event/System/EventName/text()", "System.EventName" ]
    xpath => [ "/Event/System/Result/text()", "System.Result" ]
    xpath => [ "/Event/System/Channel/text()", "System.Channel" ]
    xpath => [ "/Event/System/Computer/text()", "System.Computer" ]
    xpath => [ "/Event/EventData//Data[1]/text()", "EventData.SubjectIP" ]
    xpath => [ "/Event/EventData//Data[3]/text()", "EventData.SubjectUserSID" ]
    xpath => [ "/Event/EventData//Data[4]/text()", "EventData.SubjectUserIsLocal" ]
    xpath => [ "/Event/EventData//Data[5]/text()", "EventData.SubjectDomainName" ]
    xpath => [ "/Event/EventData//Data[6]/text()", "EventData.SubjectUserName" ]
    xpath => [ "/Event/EventData//Data[7]/text()", "EventData.ObjectServer" ]
    xpath => [ "/Event/EventData//Data[8]/text()", "EventData.ObjectType" ]
    xpath => [ "/Event/EventData//Data[9]/text()", "EventData.HandleID" ]
    xpath => [ "/Event/EventData//Data[10]/text()", "EventData.ObjectName" ]
    xpath => [ "/Event/EventData//Data[11]/text()", "EventData.AccessList" ]
    xpath => [ "/Event/EventData//Data[12]/text()", "EventData.AccessMask" ]
    xpath => [ "/Event/EventData//Data[13]/text()", "EventData.DesiredAccess" ]
    xpath => [ "/Event/EventData//Data[14]/text()", "EventData.Attributes" ]
  }
}

output {
  if [type] == "cifs_xml" {
    gelf {
      host => "graylog.host"
      port => 12201
    }
  }
}
2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.