Hello
Im trying to parse a XML that Im getting from a Windows Event Viewer.
Ill try to explain as best I can and any questions or doubt can be further asked.
I have this in a field that is winlog.event_data.param2 (values have been edited for privacy reasons) ::
<?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
<AuditType>FreshCredentials</AuditType>
<AuditResult>Failure</AuditResult>
<FailureType>CredentialValidationError</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>N/A</RelyingParty>
<ClaimsProvider>N/A</ClaimsProvider>
<UserId>auser@adomain.com</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>N/A</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://fs.adomain.com/adfs/services/trust</Server>
<AuthProtocol>N/A</AuthProtocol>
<NetworkLocation>Extranet</NetworkLocation>
<IpAddress>123.123.123.123,231.231.231.231</IpAddress>
<ForwardedIpAddress>123.123.123.123,231.231.231.231</ForwardedIpAddress>
<ProxyIpAddress>N/A</ProxyIpAddress>
<NetworkIpAddress>N/A</NetworkIpAddress>
<ProxyServer>ASERVERTHATISADC</ProxyServer>
<UserAgentString>Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.13628; Pro)</UserAgentString>
<Endpoint>/adfs/services/trust/2005/usernamemixed</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
My original Logstash config is:
input {
beats {
port => 5051
tags => [ "winlogbeat" ]
}
}
filter
{
if "winlogbeat" not in [tags]
{
drop { }
}
}
filter
{
if [winlog][channel] != "Security"
{
drop { }
}
}
filter
{
if [event][code] != 1200 and [event][code] != 1202 and [event][code] != 1203
{
drop { }
}
}
filter {
mutate {
copy => { "[host][hostname]" => "[@metadata][hostlower]" }
}
mutate {
lowercase => [ "[@metadata][hostlower]" ]
}
}
output
{
elasticsearch {
hosts => ["localhost"]
user => ["elastic"]
password => ["apassword"]
index => "aindex-%{+yyyy.MM.dd}"
}
}
My idea/thought process (but doesnt work) is:
input {
beats {
port => 5051
tags => [ "winlogbeat" ]
}
}
filter
{
if "winlogbeat" not in [tags]
{
drop { }
}
}
filter
{
if [winlog][channel] != "Security"
{
drop { }
}
}
filter
{
if [event][code] != 1200 and [event][code] != 1202 and [event][code] != 1203
{
drop { }
}
}
filter {
xml{
store_xml => false
source => [winlog][event_data][param2]
xpath => ["/AuditBase/AuditType/text()", "AuditType"]
}
}
filter {
mutate {
copy => { "[host][hostname]" => "[@metadata][hostlower]" }
}
mutate {
lowercase => [ "[@metadata][hostlower]" ]
}
}
output
{
elasticsearch {
hosts => ["localhost"]
user => ["elastic"]
password => ["apassword"]
index => "aindex-%{+yyyy.MM.dd}"
}
}
Can someone lend me a hand and help me understand and how to do this?
Thank you very much