I am currently trying to develop an integration that takes reports from an appliance and then indexes them in elastic.
The appliance sends these XML reports via TCP.
Currently, I have the problem that I can't get the decode_xml processor to decode the xml.
Here I first tried to send an example report using observability/stream log, but characters are escaped. Next I tried to use observability/stream pcap.
For this I used tcpdump to create a pcap of XML report from the appliance. After that I modified the PCAP so that there are only packets where the XML report is transferred.
Now the XML decoder works, but the message part is split to several documents, which throws an unexpected EOF error.
The question now is, did I use observability/stream pcap wrong or should I not use it at all.
Or do I need a parser multiline here. The multiline parser I tried does not work:
parsers:
- multiline:
type: pattern
pattern: '<\/report>'
negate: true
match: before
The XML has the following structure:
<report id="9681bea7-6512-4f50-8879-e05a84c68a58">
<gmp>
<version>22.4</version>
</gmp>
...
<errors>
<count>0</count>
</errors>
<report_format></report_format>
</report>
Regards
Sebastian