Alright, I have a couple changes I want to make prior to an XML file hitting the XML parser.
- Strip versioning/encoding statement from the file
- Ensure tags
<feedback>
and</feedback>
are placed on their own lines if they're not already there.
The XML reports I receive come in a variety of line formats and the it seems like the XML filter has issues if all the tags reside on the same line. I'm already using a multiline pattern to fold everything together so I can't use that method. Any ideas?
<?xml version='1.0' encoding='utf-8'?>
<feedback><field1><field2></field1></field2></feedback>
or
<?xml version='1.0' encoding='utf-8'?>
<feedback>
<field1>
<field2>
</field1>
</field2>
</feedback>
or
<?xml version='1.0' encoding='utf-8'?>
<feedback>
<field1><field2></field1></field2>
</feedback>
Here's my input/filter config
file {
id => "Ingest"
path => "C:/DMARC/*.xml"
discover_interval => 5
close_older => 5
codec => multiline {
negate => true
pattern => "<record>"
what => "previous"
}
}
}
filter {
xml {
id => "Parse"
force_array => true
store_xml => false
source => "message"
xpath => [
"feedback/report_metadata/org_name/text()", "Reporting Org",
"feedback/report_metadata/email/text()", "Org Contact",
"feedback/report_metadata/report_id/text()", "Report ID",
"feedback/report_metadata/date_range/begin/text()", "Start Date",
"feedback/report_metadata/date_range/end/text()", "End Date",
"feedback/policy_published/domain/text()", "Policy Domain",
"feedback/policy_published/aspf/text()", "SPF Mode",
"feedback/policy_published/adkim/text()", "DKIM Mode",
"feedback/policy_published/p/text()", "DMARC Policy Action",
"feedback/policy_published/sp/text()", "DMARC Sub-Domain Action",
"feedback/policy_published/pct/text()", "Application Percentage",
"record/row/source_ip/text()", "Sender IP",
"record/row/count/text()", "Message Count",
"record/row/policy_evaluated/disposition/text()", "Policy Disposition",
"record/row/policy_evaluated/spf/text()", "SPF Disposition",
"record/identifiers/header_from/text()", "Message Header",
"record/auth_results/dkim/domain/text()", "DKIM Domain",
"record/auth_results/dkim/result/text()", "DKIM Result",
"record/auth_results/spf/domain/text()", "SPF Domain",
"record/auth_results/spf/scope/text()", "SPF Scope",
"record/auth_results/spf/result/text()", "SPF Result"
]
}