Hi,
I would like to parse some NetApp CIFS share audit log XML files, but they are an ugly format that I don't have control over (below):
<Event>
<System>
<Provider Name="NetApp-Security-Auditing" Guid="{********}"/>
<EventID>4663</EventID>
<EventName>Get Object Attributes</EventName>
<Version>101.2</Version>
<Source>CIFS</Source>
<Level>0</Level>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<Result>Audit Success</Result>
<TimeCreated SystemTime="2019-07-29T20:17:56.625219000Z"/>
<Correlation/>
<Channel>Security</Channel>
<Computer>********</Computer>
<ComputerUUID>********</ComputerUUID>
<Security/>
</System>
<EventData>
<Data Name="SubjectIP" IPVersion="4">********</Data>
<Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data>
<Data Name="SubjectUserSid">********</Data>
<Data Name="SubjectUserIsLocal">false</Data>
<Data Name="SubjectDomainName">********</Data>
<Data Name="SubjectUserName">********</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">Directory</Data>
<Data Name="HandleID">00000000000511;00;0002fd34;687fe433</Data>
<Data Name="ObjectName">********</Data>
<Data Name="InformationRequested">File Type; File Size; Created Time; Last Accessed Time; Last Metadata Modfied Time; Last Modified Time; Allocation size; Delete on last close; </Data>
</EventData>
</Event>
If I do the following config, it will output fine in stdout
, but not in Graylog
input {
file {
path => "/tmp/cifs_audit/audit_D2019-07-29-T20-18-04_0000000000.xml"
start_position => "beginning"
type => "cifs_xml"
}
}
filter {
xml {
source => "message"
target => "xml_content"
remove_namespaces => true
store_xml => true
force_array => false
}
}
output {
if [type] == "cifs_xml" {
gelf {
host => "graylog.host"
port => 12201
}
}
}
it will output the System
and EventData
keys into fields in Graylog with JSON-like content, but none of the sub-fields.
We tried xpath
configurations, but it would break Logstash with various Ruby errors before we could even get messages.
So, any suggestions on how to parse the XML pasted above so that it can be field:value in Graylog? Thank you in advance!