Wich is the best way to parse logs with XML seccion

Hi , I'm triying to send a app log to logatash, the problem is that this logs have XML sections in multilines.

example:

2019-05-03 12:11:36,746 [xxxxxxxxx] INFO Command - GetReport Command receive, Id [xxxxxxxxxx], response and end
2019-05-03 12:11:38,939 [xxxxxxxxx] INFO ProvisioningManager - ProvisioningManager command receive
2019-05-03 12:11:38,940 [xxxxxxxxx] INFO Command - WebService message receive [<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">soapenv:Body<ns1:executeAsynchronousCommand xmlns:ns1="http://pm.soap.pm.gemalto.com">ns1:filenamepm</ns1:filename>ns1:token</ns1:token>ns1:command

             <Order>
               <DeleteSubscription
                  iccid="xxxxxxxxxxxxxxxxxxx"
                  deleteSecurity="true">
               </DeleteSubscription>
             </Order>

           </ns1:command></ns1:executeAsynchronousCommand></soapenv:Body></soapenv:Envelope>]

2019-05-03 12:11:38,940 [xxxxxxxxx] INFO Command - ASynchronus Command receive, will parse command, generate Id, response and end

Which is the best way to do it?

thanks

You could try something like

if "xml" in [message] {
        dissect { mapping => { "message" => "%{}[%{}]%{}[%{[@metadata][xml]}]%{}" } }
}

Then if the XML is valid (what you have shown is not) you could parse it with an xml filter

xml { source => "[@metadata][xml]" target => "theXML" }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.