Hello !
After hours of trying i can´t find "the light". I have the following customized Windows XML File... with data in [messages]...but xpath only recognize the first field (activity_id) ...and does not parse the "UserId" or "message"...simply ignoring these...
Can you point me to the right direction ? The XML File is customized in the "message" field.
I am new to logstash....
Please edit your post (use the pencil icon under the post) and format the text using markdown. If you select the body of the XML and click on </> then blockquote markup will be applied. Then do the same for the text of your configuration. You will see the appearance change in the preview pane to the right of the edit pane.
During writing i figure out, that my XML-Message field seems to be no valid XML...so i trieg to "grok" this field with success:
if "ADFS_MFA" in [tags] {
grok {
match => { "message" => "<activity_id>%{GREEDYDATA:activity_id}</activity_id><UserId>%{GREEDYDATA:UserId}</UserId><message>%{GREEDYDATA:mfa_message}</message>"}
}
Now i have the fields "activity_id, UserID and MFA_Message" in Kibana...
Is there a better way to parse the (xml)message-field ?
The mutate+gsub is required because your [EventData][Data] field looks like
<activity_id>a3c26928-0c8f-4c66-fb01-0080020000fa</activity_id><UserId>joerg.mohar@metronom.com</UserId><message>joerg.mohar@metronom.com entered Token for Multi-Factor-Authentication</message>
and you cannot parse something that has multiple elements at the root level using an xml filter, so I wrap the whole thing in <a> </a>
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.