Hi,
when parsing 4 xml files, sometimes the first and sometimes the last one has parse error. (cant split nillclass) . Am I doing something wrong?
input {
beats {
port => "5044"
}
}
filter {
## interpret the message as XML
if [type] == "nessus-report" {
xml {
source => "message"
store_xml => false
xpath =>[
"/NessusClientData_v2/Report/@name","report_name",
"/NessusClientData_v2/Report/ReportHost","report_host"
]
}
split {
field => "report_host"
}
xml {
source => "report_host"
store_xml => false
xpath =>[
"/ReportHost/ReportItem","report_item",
"/ReportHost/@name","report_host_name",
"/ReportHost/HostProperties/tag[@name='HOST_START']/text()","report_host_start",
"/ReportHost/HostProperties/tag[@name='HOST_END']/text()","report_host_end"
]
}
split {
field => "report_item"
}
xml {
source => "report_item"
store_xml => false
xpath => [
"/ReportItem/@port","report_item_port",
"/ReportItem/@svc_name","report_item_svc_name",
"/ReportItem/@protocol","report_item_protocol"
]
}
grok {
match => ["source","%{GREEDYDATA}/%{GREEDYDATA:history_id}\.xml"]
}
mutate {
add_field => { "index_report_name" => "%{report_name}" }
remove_field => [ "message","report_host","report_item" ]
replace => { "report_host_start" => "%{report_host_start[0]}" }
replace => { "report_host_end" => "%{report_host_end[0]}" }
convert => { "report_item_severity" => "integer" }
}
mutate {
gsub => [
#remove all whitespaces
"index_report_name", " ", "-"
]
}
mutate{
lowercase => [ "index_report_name" ]
}
date {
match => [ "report_host_start", "EEE MMM d HH:mm:ss yyyy",
"EEE MMM dd HH:mm:ss yyyy" ]
target => "report_host_start"
locale => "en_US"
timezone => "UTC"
}
date {
match => [ "report_host_end", "EEE MMM d HH:mm:ss yyyy",
"EEE MMM dd HH:mm:ss yyyy" ]
target => "report_host_end"
locale => "en_US"
timezone => "UTC"
}
}
}
output {
if [type]=="nessus-report" {
elasticsearch {
hosts => ["10.99.40.16:9200"]
manage_template => false
index => "%{type}-%{index_report_name}-%{+YYYY.MM.dd}"
}
}
}
.example of parsing error
{
"_index" : "nessus-report-%{report_name}-2017.05.02",
"_type" : "nessus-report",
"_id" : "AVvLcflLmDMb90aiL7fj",
"_score" : 0.2876821,
"_source" : {
"report_host_end" : "%{report_host_end[0]}",
"offset" : 259,
"report_host_start" : "%{report_host_start[0]}",
"input_type" : "log",
"source" : "/opt/ctb-odin-nessus-scan/downloads/211.xml",
"type" : "nessus-report",
"history_id" : "211",
"tags" : [
"beats_input_codec_plain_applied",
"_split_type_failure",
"_dateparsefailure"
],
"@timestamp" : "2017-05-02T23:14:50.080Z",
"@version" : "1",
"beat" : {
"hostname" : "hyoga",
"name" : "hyoga",
"version" : "5.3.0"
},
"host" : "hyoga",
"index_report_name" : "%{report_name}"
}
}