Not properly formated XML

shani · November 29, 2020, 7:20pm

Hi All,

I have raw event logs like this

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode></\nOpcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2020-02-01T00:55:45.040458400Z'/><EventRecordID>296447</EventRecordID><Correlation/><Execution ProcessID='712' ThreadID='6072'/><Channel>System</Channel><Computer>TermServ-p.local</Computer><Security/></System><EventData>The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.</EventData></Event>

My conf file is here

input {
file {
     path => "/etc/logstash/conf.d/abc.log"
     start_position => beginning
     sincedb_path => "/dev/null"
     codec => multiline {
       pattern => "<Event\s+xmlns=.+?>"
       negate => true
       what => "previous"
     }
  }
}

filter {
  xml {
    source => "message"
    target => "xml_parsed"
    remove_namespaces => "true"
    force_array => "false"
    xpath => ["//Provider/@Name", "[event][provider]", "//Provider/@Guid", "[process][entity_id]", "//Provider/@EventSourceName", "[event][dataset]", "//EventID/@Qualifiers", "[tl_custom][event_id][qualifier]", "//EventID/text()", "[event][code]", "//Level/text()", "[log][level]", "//Task/text()", "[event][action]", "//Keywords/text()", "[tl_custom][keyword]", "//TimeCreated/@SystemTime", "[event][created]", "//EventRecordID/text()", "[winlog][record_id]", "//Execution/@ProcessID", "[process][pid]", "//Execution/@ThreadID", "[process][thread][id]", "//Channel/text()", "[event][type]", "//Computer/text()", "[winlog][computer_name]", "//Security/@UserID", "[user][name]", "//EventData/text()", "[event][description]" ]
}
  mutate {
    remove_field => [ "xml_parsed"]
    copy => { "[winlog][computer_name]" => "[most][name]"}
    lowercase => ["[most][name]"]
    remove_field => ["[tl_custom][event_id][qualifier]" , "[tl_custom][keyword]"]
  }
}

output {
  stdout { codec => rubydebug}
}

I'm getting error like this

[WARN ] 2020-11-29 10:37:24.283 [[main]>worker0] xml - Error parsing xml with XmlSimple {:source=>"message", :value=>"<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode></\\nOpcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2020-02-01T00:55:45.040458400Z'/><EventRecordID>296447</EventRecordID><Correlation/><Execution ProcessID='712' ThreadID='6072'/><Channel>System</Channel><Computer>TermServ-PHX.corp.local</Computer><Security/></System><EventData>The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.</EventData></Event>", :exception=>#<REXML::ParseException: #<NoMethodError: undefined method `[]' for nil:NilClass>
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/baseparser.rb:343:in `pull_event'
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/baseparser.rb:185:in `pull'
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/treeparser.rb:23:in `parse'
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:288:in `build'
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:45:in `initialize'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:971:in `parse'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:164:in `xml_in'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:203:in `xml_in'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-xml-4.1.1/lib/logstash/filters/xml.rb:195:in `filter'
/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'
/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'
org/jruby/RubyArray.java:1809:in `each'
/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'
org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'
/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:295:in `block in start_workers'
...
Exception parsing
Line: 1
Position: 711
Last 80 unconsumed characters:
</\nOpcode><Keywords>Classic</Keywords><TimeCreated SystemTime='2020-02-01T00:55:>, :backtrace=>["uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/baseparser.rb:442:in `pull_event'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/baseparser.rb:185:in `pull'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/parsers/treeparser.rb:23:in `parse'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:288:in `build'", "uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rexml/document.rb:45:in `initialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:971:in `parse'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:164:in `xml_in'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/xml-simple-1.1.5/lib/xmlsimple.rb:203:in `xml_in'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-xml-4.1.1/lib/logstash/filters/xml.rb:195:in `filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:159:in `do_filter'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:178:in `block in multi_filter'", "org/jruby/RubyArray.java:1809:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:175:in `multi_filter'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:134:in `multi_filter'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:295:in `block in start_workers'"]}

As per my understanding, the raw log contains \n in one XML <Opcode></\nOpcode> that is not being parsed through XML filter plugin. Raw log is not in my control but if I remove this tag <Opcode></\nOpcode> and run my config file, it parse all fields properly without any error. Now can I remove this XML tag <Opcode></\nOpcode> before filter it through XML filter plugin? or can you please suggest any other way to get the desired results.

Thank you very much

system · December 27, 2020, 7:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need some help with Logstash and the XML filter plugin Logstash	11	469	March 26, 2021
Parsing logs with logstash Logstash	6	169	March 6, 2024
Help using Logstash XML Filter to Parse Offline Windows Event Logs Logstash	5	3082	June 23, 2018
Issue while Parsing XML data Logstash	4	332	September 24, 2019
Windows Event Viewer Logs Parsing without Winlogbeat Logstash	2	845	September 9, 2020

Not properly formated XML

Related Topics