WinlogBeat -> LogStash XML filter


(Florian Mulatz) #1

Hey Guys,

Just asking myself how to configure the XML-Filter in logstash but not for a file input but a winlogbeat input.
Background: We're logging the ADFS Audit from our Win-ADFS Servers via Winlogbeat to elastic.

The Eventlog-Entry (on the windows server) for example looks like (my plan is to have every single xml-node as a field in elastic - actually I've all XML-Data in " event_data.param2") -->

XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
  <AuditType>AppToken</AuditType>
  <AuditResult>Success</AuditResult>
  <FailureType>None</FailureType>
  <ErrorCode>N/A</ErrorCode>
  <ContextComponents>
    <Component xsi:type="ResourceAuditComponent">
      <RelyingParty>https://some.very.cool.url</RelyingParty>
      <ClaimsProvider>AD AUTHORITY</ClaimsProvider>
      <UserId>ACME-LOCAL\elasticuser</UserId>
    </Component>
    <Component xsi:type="AuthNAuditComponent">
      <PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</PrimaryAuth>
      <DeviceAuth>false</DeviceAuth>
      <DeviceId>N/A</DeviceId>
      <MfaPerformed>false</MfaPerformed>
      <MfaMethod>N/A</MfaMethod>
      <TokenBindingProvidedId>false</TokenBindingProvidedId>
      <TokenBindingReferredId>false</TokenBindingReferredId>
      <SsoBindingValidationLevel>TokenUnbound</SsoBindingValidationLevel>
    </Component>
    <Component xsi:type="ProtocolAuditComponent">
      <OAuthClientId>N/A</OAuthClientId>
      <OAuthGrant>N/A</OAuthGrant>
    </Component>
    <Component xsi:type="RequestAuditComponent">
      <Server>http://someserver.acme.local/adfs/services/trust</Server>
      <AuthProtocol>SAMLP</AuthProtocol>
      <NetworkLocation>Intranet</NetworkLocation>
      <IpAddress>10.127.67.230</IpAddress>
      <ProxyServer>N/A</ProxyServer>
      <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36</UserAgentString>
      <Endpoint>/adfs/ls/wia</Endpoint>
    </Component>
  </ContextComponents>
</AuditBase>

Do you have any inputs for me on that?

BR


(Florian Mulatz) #2

No one?

I tried with -->

  if "adfs" in [tags] {
    xml {
      namespaces => {
        "xsd" => "http://www.w3.org/2001/XMLSchema"
        "xsi" => "http://www.w3.org/2001/XMLSchema-instance"
      }
      source => "event_data.param2"
      #target => "xmldata"
      store_xml => "false"
      xpath => ["/AuditBase/AuditType/text()","XML-AuditType"]
      xpath => ["/AuditBase/AuditResult/text()","XML-AuditResult"]
      xpath => ["/AuditBase/FailureType/text()","XML-FailureType"]
    }
  }

But nothing ....


(Walker) #3

Define "nothing"

Do you mean nothing as you don't see anything in Kibana/Elastic or do you mean nothing as in you get errors in Winlogbeat or Logstash on ingest?


(Florian Mulatz) #4

Hey,

Nothing - in my situation - means that the xml-data does not get splitted into separate fields. The data comes as it is. (whole XML data in one field)

BR


(Walker) #5

I'm actually having the same issue with mine at the moment. Once upon a time I had it working great and then ran into a separate issue that's caused me to regress in my understanding of the XML filter. You could try using the xpath function of XML to tell it how to split the fields out....not sure if it's supposed to be able to dynamically create fields based on XML tags.


(Walker) #6

OK, I solved my issue which was completely irrelevant to yours, but it's restored my confidence, lol. First, let's change your xpath statement:

xpath => [
  "AuditBase/AuditType/text()","XML-AuditType",
  "AuditBase/AuditResult/text()","XML-AuditResult",
  "AuditBase/FailureType/text()","XML-FailureType"
]

If that doesn't work, have you tried enabling debug/trace logging on logstash to see what kind of information you can glean when it tried to process one of these events?


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.