Multiline codec produces ParseException: No close tag for /Events

Paul_Offord · April 1, 2020, 8:50am

Hi,

I am ingesting an XML file that looks like this:

<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">  - about 630,000 of these events
  ... stuff
</Event>
</Events>

The input section of my config file looks like this:

input {
  file {
    path => "c:/traces/pcbd/20200327/wininettrace.xml"
    start_position => "beginning"
    sincedb_path => "NUL"
    type => "wininet"
	
    codec => multiline {
      pattern => "<Event "
      negate => true
      what => "previous"
    }
  }
}

The ingestion runs to completion, but right at the start I get this error:

Error parsing xml with XmlSimple {:source=>"message", :value=>"<Events>\r", :exception=>#<REXML::ParseException: No close tag for /Events

What do I need to do to get the multiline codec to ignore the <Events> and </Events> tags?

Badger · April 1, 2020, 3:16pm

I would include them, then if you really need to (and I don't see why you would) you can mutate+gsub them away.

Paul_Offord · April 1, 2020, 3:42pm

OK - but it causes a parsing error when the multiline codec runs. Perhaps I should rephrase my question:

How to I stop the parsing error?

Badger · April 1, 2020, 4:20pm

If you are using xpath then you need the XML to be valid XML, it will not tolerate junk surrounding the XML (this is not true if you set store_xml to be true and save the parsed XML in the event). So you can either change the multiline codec so that it match '<Events>' rather than '<Event ', or you can use mutate+gsub to clean up the XML before passing it to the xml filter.

system · April 29, 2020, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.