Unable to parse out XML fields

Hello - I've exported some Windows events to XML and need to parse them into fields, but I'm not having much luck. I'm able to parse each event into a separate log using the multiline filter, but nothing I seem to do is parsing out the individual fields I want. I just get each event in a message field. Where am I going wrong?

Here is are the input/filter parts of my logstash config:

input {
        file {
                path => "/etc/logstash/data/win10-security.xml"
                start_position => "beginning"
                sincedb_path => "/dev/null"

                codec => multiline {
                        pattern => "^<Event xmlns"
                        negate => "true"
                        what => "previous"
                }
        }
}

filter {
        xml {
                store_xml => "false"
                source => "message"
                xpath =>
                [
                        "/Events/Event/EventID","eventid",
                        "/Events/Event/TimeCreated","datetime",
                        "/Events/Event/Computer","computer"
                ]
        }
}

Here is a sample of my XML file, a single Event within the broader Events.

<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-07-24 13:22:07.108276"></TimeCreated>
<EventRecordID>7849</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="632" ThreadID="836"></Execution>
<Channel>Security</Channel>
<Computer>WS02.cyberdyne.local</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="TargetUserSid">S-1-5-96-0-2</Data>
<Data Name="TargetUserName">UMFD-2</Data>
<Data Name="TargetDomainName">Font Driver Host</Data>
<Data Name="TargetLogonId">0x0000000000f7b2f6</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
</Events>

Looks like XPATH is wrong. You can find the xpath in XPath Tester and Evaluator online and then write the xml filter.

Any suggestions that can help me along? I've been playing with that quite a bit and can't seem to get anything beyond /Events/ to work.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.