Parse XML log with xml filter and grok fiter

Catalina_Boteanu · October 14, 2021, 10:58am

Hello. I am currently trying to apply some filters to different logs in Logstash. I have a log that has a string in the beginning and then it is in xml format. I was able to take out the xml from the log with a regex. Now I want to send this xml in a xml predefined filter to transform it in JSON.
How can I do that? This is the filters I have written so far:

filter {
    grok{
        match => {
            "message" => ["(?<xml><\?xml[\s\S]*?<\SAuditMessage>)"]
        }
    }

    xml {
      ["xml"] => "FinalXml" 
      target => "doc"
      force_content => "true"
    }
}

The logs look like this:

Sep  7 15:06:01 ip-xxx-xxx-xxx-xxx<?xml version="1.0" encoding="UTF-8"?>
<AuditMessage>
    <Here we have more fields>
</AuditMessage>

Currently, Logstash is crashig with this configuration:))

Badger · October 15, 2021, 5:34pm

You could try

xml {
    source => "message"
    target => "doc"
    force_content => true
}

If you are using store_xml => true (the default) then the xml filter will tolerate junk surrounding the xml, so you do not need the grok. This is not true if you use xpath.

system · November 12, 2021, 5:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to write a filter for a file containing a mix of xml and non xml messages Logstash	3	172	September 16, 2022
Problems with parsing XML log files with XML filter of Logstash Logstash	8	1561	July 6, 2017
Not able to parse XML string with logstash grok filter Logstash	2	781	December 28, 2016
XML filter help Logstash	5	1545	July 6, 2017
Logstash Grok filters, split and path Logstash	2	479	December 18, 2020

Parse XML log with xml filter and grok fiter

Related Topics