Need help in parsing DMARC report in XML format

(R) #1

Hi team,

I am receiving XML report for our domain in XML formar and wanted to know if it can parsed using logstash so that data can be visualized in Kibana?

Please suggest.

(Walker) #2

I created a thing just for that. Have you checked out ElasticMARC?

(Walker) #3

Does this resolve the issue for you or is there something wrong with that solution?

(R) #4


Sorry I havent had a chance to look at. Let me look at it and revert

Thanks for the help. :slight_smile:

(R) #5

Does this Windows system? I am looking for logstash file for parsing XML files. Or any other alternate available so that reports coming in can be parsed on linux?

(Walker) #6

Not quite sure what you are asking. It's for parsing dmarc aggregate reports. The readme is geared towards setting up Elastic Stack on a Windows platform but most of it can be used on a Linux setup as well.

(R) #7

Correct this is what I am asking for. I wanted to have everything works on Linux but not sure what does powershell script do here.

Wondering what are changes needed to make it work on Linux?

(Walker) #8

The script does the following:

Connect to a Microsoft Exchange mailbox
Download the aggregate report
Relocate the email to an alternate folder
Decompress the aggregate report
Restructure the XML nodes (see below for reasoning)
Save the new XML document to an ingest folder (or other place you prefer)

In the default format, the report_metadata and policy_published nodes exist outside of the record node. I saw this as a bit of a problem because I wanted the published policy and metadata to exist alongside each record. The script duplicates these nodes into each record in the XML file so that each event has it.

If you don't care about any of that, then the rest of it will work. You'll need to rewrite/omit a couple of the XPath statements in the logstash pipeline for the metadata and policy nodes but otherwise, everything else will work.

Unfortunately, I am not skilled with Linux or Ruby so I have no idea how to accomplish the same thing without PowerShell, though I am 100% confident it can be done.

(R) #9

Thanks let me work.

Well if I dont have exchange and mails can even be pulled up from IMAP protocol from other mail servers or even with exchange servers?

Then only thing remaining is parsing the XML reports. Which I need to dig further.

(Walker) #10

Since the environment I work in uses Exchange and has IMAP disabled, that's the solution I developed for. I don't know IMAP well but if you are able to develop an IMAP script I would be more than happy to include it in the repo. If you're able to develop any Linux/OS agnostic script I would be more than happy to have it included into the repo and, obviously, give credit where it is due.