Parsing McAfee ePO Logs

McAfee has recently supported forwarding messages via syslog, and after a bit of groking. I'm left with the meat and potatoes portion of the message that is xml. Here is how I'm parsing it...

xml {
source => "epo_xml"
target => "epo_xml_parsed"
store_xml => true
add_tag => [ "xml_parse_success" ]
}
...

Provides the following result:
...
"tags":["xml_parse_success"],
"epo_xml_parsed":
{
"MachineInfo":[
{
"RawMACAddress":["F0921CDC9999"],
"MachineName":["aa-somehost"],
"AgentVersion":["5.0.0"],
"AgentGUID":["{50997d14-0b4a-11e7-2bcc-f12222226f21}"],
"OSName":["Windows 7"],
"IPAddress":["192.168.1.1"],
"TimeZoneBias":["420"]
}
],
"McAfeeCommonUpdater":[
{
"ProductFamily":"TVD",
"ProductName":"McAfee Agent",
"ProductVersion":"5.0.0",
"UpdateEvent":[
{
"Locale":["0409"],
"InitiatorID":["EPOAGENT3000"],
"Type":["Update"],
"SiteName":["ePO_SRV-NAME"],
"Version":["N/A"],
"EventID":["2402"],
"Error":["26"],
"Severity":["4"],
"ProductID":["EPOAGENT3000"],
"GMTTime":["2017-03-30T07:00:00"],
"InitiatorType":["UpdateTask"]
}
]
}
]
},
...
Now I'd like to create the "machinename" field with the appropriate value. How?

You mean like it has in the sample?

It hasn't yet in the sample. MachineName currently has a value that appears to be an array. And it is a part of a hash whose parent is MachineInfo. I'd like to assign a whole knew variable "machinename"=${[MachineInfo][MachineName]}, but when I do, logstash hangs, and I get a ton of ruby errors in logstash-plain.log. so what am I doing wrong?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.