Hello - I've exported some Windows events to XML and need to parse them into fields, but I'm not having much luck. I'm able to parse each event into a separate log using the multiline filter, but nothing I seem to do is parsing out the individual fields I want. I just get each event in a message field. Where am I going wrong?
Here is are the input/filter parts of my logstash config:
input {
file {
path => "/etc/logstash/data/win10-security.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "^<Event xmlns"
negate => "true"
what => "previous"
}
}
}
filter {
xml {
store_xml => "false"
source => "message"
xpath =>
[
"/Events/Event/EventID","eventid",
"/Events/Event/TimeCreated","datetime",
"/Events/Event/Computer","computer"
]
}
}
Here is a sample of my XML file, a single Event within the broader Events.
<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2017-07-24 13:22:07.108276"></TimeCreated>
<EventRecordID>7849</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="632" ThreadID="836"></Execution>
<Channel>Security</Channel>
<Computer>WS02.cyberdyne.local</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="TargetUserSid">S-1-5-96-0-2</Data>
<Data Name="TargetUserName">UMFD-2</Data>
<Data Name="TargetDomainName">Font Driver Host</Data>
<Data Name="TargetLogonId">0x0000000000f7b2f6</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
</Events>