Hey Guys,
Just asking myself how to configure the XML-Filter in logstash but not for a file input but a winlogbeat input.
Background: We're logging the ADFS Audit from our Win-ADFS Servers via Winlogbeat to elastic.
The Eventlog-Entry (on the windows server) for example looks like (my plan is to have every single xml-node as a field in elastic - actually I've all XML-Data in " event_data.param2") -->
XML: <?xml version="1.0" encoding="utf-16"?>
<AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="AppTokenAudit">
<AuditType>AppToken</AuditType>
<AuditResult>Success</AuditResult>
<FailureType>None</FailureType>
<ErrorCode>N/A</ErrorCode>
<ContextComponents>
<Component xsi:type="ResourceAuditComponent">
<RelyingParty>https://some.very.cool.url</RelyingParty>
<ClaimsProvider>AD AUTHORITY</ClaimsProvider>
<UserId>ACME-LOCAL\elasticuser</UserId>
</Component>
<Component xsi:type="AuthNAuditComponent">
<PrimaryAuth>http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</PrimaryAuth>
<DeviceAuth>false</DeviceAuth>
<DeviceId>N/A</DeviceId>
<MfaPerformed>false</MfaPerformed>
<MfaMethod>N/A</MfaMethod>
<TokenBindingProvidedId>false</TokenBindingProvidedId>
<TokenBindingReferredId>false</TokenBindingReferredId>
<SsoBindingValidationLevel>TokenUnbound</SsoBindingValidationLevel>
</Component>
<Component xsi:type="ProtocolAuditComponent">
<OAuthClientId>N/A</OAuthClientId>
<OAuthGrant>N/A</OAuthGrant>
</Component>
<Component xsi:type="RequestAuditComponent">
<Server>http://someserver.acme.local/adfs/services/trust</Server>
<AuthProtocol>SAMLP</AuthProtocol>
<NetworkLocation>Intranet</NetworkLocation>
<IpAddress>10.127.67.230</IpAddress>
<ProxyServer>N/A</ProxyServer>
<UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36</UserAgentString>
<Endpoint>/adfs/ls/wia</Endpoint>
</Component>
</ContextComponents>
</AuditBase>
Do you have any inputs for me on that?
BR