I'm trying to use Filebeat to ship a number of xml log files that follow a quite simple request/response pattern. I thought this would be easy, but as a newcomer to the ELK stack I really need some help!
Except from the opening / closing tags, the logs have commands from a "mos device" and responses from a nom application. Messages go both ways, so there will also be commands from the 'nom' application to the 'mos device'. The logs look like this:
<mosLog Device="SOFIE1.XPRO.MOS" Time="24.06.2019 08:00:36">
<mosCommand Command="heartbeat" Time="24.06.2019 08:00:36" Port="10541" IP="160.67.166.72">
<mos>(....)</mos>
</mosCommand>
<nomResponse Command="heartbeat" Time="24.06.2019 08:00:36" Port="10541" IP="160.67.166.72">
<mos>(....)</mos>
</nomResponse>
</mosLog>
In most cases the request and response will have the same timestamp.
For messages initiated from the 'nom' application, there are "nomCommand"/"mosResponse" tags.
I've tried various solutions, but none of my patterns/flush_patterns have been able to match the opening/closing tags properly.
Any bright ideas?