Do I have to remove the @metadata everywhere in the file then? Cause I still get ruby exceptions for each event, and it's all basically still just one big Document, in this case called "otherField".
[ERROR] 2019-05-07 07:37:51.400 [[main]>worker0] ruby - Ruby exception occurred: undefined method `[]' for nil:NilClass
[ERROR] 2019-05-07 07:37:51.406 [[main]>worker0] ruby - Ruby exception occurred: undefined method `[]' for nil:NilClass
[ERROR] 2019-05-07 07:37:51.407 [[main]>worker0] ruby - Ruby exception occurred: undefined method `[]' for nil:NilClass
[ERROR] 2019-05-07 07:37:51.408 [[main]>worker0] ruby - Ruby exception occurred: undefined method `[]' for nil:NilClass
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/awesome_print-1.7.0/lib/awesome_print/formatters/base_formatter.rb:31: warning: constant ::Fixnum is deprecated
{
"path" => "/home/christiane/Dokumente/evtx_shortx.xml",
"@timestamp" => 2019-05-07T05:37:49.798Z,
"otherField" => {
"xmlns" => "http://schemas.microsoft.com/win/2004/08/events/event",
"EventData" => {
"Data" => {
"content" => "0xc00484b2",
"Name" => "Status"
}
},
"System" => {
"Task" => "101",
"Correlation" => {
"ActivityID" => "{0114a2a5-ba40-0001-b6a2-140140bad401}",
"RelatedActivityID" => ""
},
"Keywords" => "0x4000000000000012",
"Channel" => "Microsoft-Windows-AAD/Operational",
"Opcode" => "0",
"Security" => {
"UserID" => "S-1-5-18"
},
"Provider" => {
"Guid" => "{4de9bc9c-b27a-43c9-8994-0915f1a5e24f}",
"Name" => "Microsoft-Windows-AAD"
},
"TimeCreated" => {
"SystemTime" => "2019-02-01 15:08:46.508312"
},
"Execution" => {
"ThreadID" => "696",
"ProcessID" => "692"
},
"EventRecordID" => "19",
"Version" => "0",
"Computer" => "xxx",
"EventID" => {
"Qualifiers" => "",
"content" => "1089"
},
"Level" => "2"
}
},
"@metadata" => {
"host" => "christiane-ThinkPad-X240",
"path" => "/home/christiane/Dokumente/evtx_shortx.xml"
},
"@version" => "1",
"host" => "christiane-ThinkPad-X240",
"theXML" => {},
"tags" => [
[0] "multiline",
[1] "_rubyexception"
]
}
.... (two more events)
{
"path" => "/home/christiane/Dokumente/evtx_shortx.xml",
"@timestamp" => 2019-05-07T05:37:49.798Z,
"otherField" => {
"xmlns" => "http://schemas.microsoft.com/win/2004/08/events/event",
"EventData" => {
"Data" => [
[0] {
"content" => "Plugin initialize",
"Name" => "API"
},
[1] {
"content" => "3221521586",
"Name" => "Result"
}
]
},
"System" => {
"Task" => "101",
"Correlation" => {
"ActivityID" => "{bf1d25ff-bd56-0005-0026-1dbf56bdd401}",
"RelatedActivityID" => ""
},
"Keywords" => "0x4000000000000012",
"Channel" => "Microsoft-Windows-AAD/Operational",
"Opcode" => "0",
"Security" => {
"UserID" => "S-1-5-18"
},
"Provider" => {
"Guid" => "{4de9bc9c-b27a-43c9-8994-0915f1a5e24f}",
"Name" => "Microsoft-Windows-AAD"
},
"TimeCreated" => {
"SystemTime" => "2019-02-05 13:29:08.712677"
},
"Execution" => {
"ThreadID" => "692",
"ProcessID" => "688"
},
"EventRecordID" => "22",
"Version" => "0",
"Computer" => "xxx",
"EventID" => {
"Qualifiers" => "",
"content" => "1104"
},
"Level" => "2"
}
},
"@metadata" => {
"host" => "christiane-ThinkPad-X240",
"path" => "/home/christiane/Dokumente/evtx_shortx.xml"
},
"@version" => "1",
"host" => "christiane-ThinkPad-X240",
"theXML" => {},
"tags" => [
[0] "multiline",
[1] "_rubyexception"
]
}
(just removed two events from the output so that it fits)