Multiline XML not parsing

Elastic Stack Logstash
1

There are may different examples out here on how to take Nessus files and bring them in to Elastic via Logstash. I have read them and tried many different configs. Here is the XML file I am trying to read in. https://gist.github.com/b0rn2dv8/06884520aa18bcfcbdcea6153a093c63

Here is ruby debug
https://gist.github.com/b0rn2dv8/187b768b0b5a77f54e04ec7ee529c5dc

Here is my logstash config that I am running right now.

input {
	file {
	 	path => "/home/user/nessus/*"
		sincedb_path => "/dev/null"
		start_position => "beginning"
		codec => multiline {
			pattern => "<Report |</NessusClientData_v2>"
			auto_flush_interval => 1
			negate => "true"
			what => "previous"
			max_lines => 1000000000
			max_bytes => "256 MiB"
			}
		tags => "nessus"
		type => "nessus"
	}  
}


filter {

	##################### This formats the message to so processing works

	if [type] == "nessus" {
	xml {
                        source => "message"
                        store_xml => false

                        xpath =>[
                                "/NessusClientData_v2/Report/@name","report_name",
                                "/NessusClientData_v2/Report/ReportHost","report_host"
                        ]
                }
                split {
                        field => "report_host"
                }

                xml {
                        source => "report_host"
                        store_xml => false

                        xpath =>[
                                "/ReportHost/ReportItem","report_item",
                                "/ReportHost/@name","report_host_name",
                                "/ReportHost/HostProperties/tag[@name='HOST_START']/text()","report_host_start",
                                "/ReportHost/HostProperties/tag[@name='HOST_END']/text()","report_host_end"
                           
                        ]
                }
                split {
                        field => "report_item"
                }
                xml {
                        source => "report_item"
                        store_xml => false

                        xpath =>
                        [
                                "/ReportItem/@port","report_item_port"                              
                        ]
                }


                mutate  {
                        remove_field => [ "message","report_host","report_item" ]
                        replace => { "report_host_start" => "%{report_host_start[0]}" }
                        replace => { "report_host_end" => "%{report_host_end[0]}" }
                        convert => { "report_item_severity" => "integer" }

                }
                date {
                        match => [ "report_host_start", "EEE MMM dd HH:mm:ss yyyy" ]
                        target => "report_host_start"
                        locale => "en_US"
                }
                date {
                        match => [ "report_host_end", "EEE MMM dd HH:mm:ss yyyy" ]
                        target => "report_host_end"
                        locale => "en_US"
                }


        }
}


output {
  	################### this is for debuging what has been parsed 
	file {
		path => "/var/log/logstash/rubydebug"
		codec => rubydebug
		}
	

elasticsearch {
		hosts => ["10.2.3.8:9200"]
		index => "nessus-%{+YYYY.MM.dd}"
		}	}
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.