Parsing McAfee ePO Logs

McAfee has recently supported forwarding messages via syslog, and after a bit of groking. I'm left with the meat and potatoes portion of the message that is xml. Here is how I'm parsing it...

xml {
source => "epo_xml"
target => "epo_xml_parsed"
store_xml => true
add_tag => [ "xml_parse_success" ]

Provides the following result:
"OSName":["Windows 7"],
"ProductName":"McAfee Agent",
Now I'd like to create the "machinename" field with the appropriate value. How?

You mean like it has in the sample?

It hasn't yet in the sample. MachineName currently has a value that appears to be an array. And it is a part of a hash whose parent is MachineInfo. I'd like to assign a whole knew variable "machinename"=${[MachineInfo][MachineName]}, but when I do, logstash hangs, and I get a ton of ruby errors in logstash-plain.log. so what am I doing wrong?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.