Parse XML log with xml filter and grok fiter

Hello. I am currently trying to apply some filters to different logs in Logstash. I have a log that has a string in the beginning and then it is in xml format. I was able to take out the xml from the log with a regex. Now I want to send this xml in a xml predefined filter to transform it in JSON.
How can I do that? This is the filters I have written so far:

filter {
    grok{
        match => {
            "message" => ["(?<xml><\?xml[\s\S]*?<\SAuditMessage>)"]
        }
    }

    xml {
      ["xml"] => "FinalXml" 
      target => "doc"
      force_content => "true"
    }
}

The logs look like this:

Sep  7 15:06:01 ip-xxx-xxx-xxx-xxx<?xml version="1.0" encoding="UTF-8"?>
<AuditMessage>
    <Here we have more fields>
</AuditMessage>

Currently, Logstash is crashig with this configuration:))

You could try

xml {
    source => "message"
    target => "doc"
    force_content => true
}

If you are using store_xml => true (the default) then the xml filter will tolerate junk surrounding the xml, so you do not need the grok. This is not true if you use xpath.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.