XML parsing using logstash

ramanna_hk · October 31, 2018, 10:26am

Hi,

I am working on Nessus logs ex: https://gist.github.com/najmisyahir/7a1d2c17257ced61257e3033cd55d090

But i am getting results in array for each fields, please help me to convert to json records.

FYI: i am using logstash 6.0.1 on ubuntu 16

logstash.conf -

input {
  file {
    path => "/sampledata/Basic_Scan_Cluster_y7zzst.nessus"
    sincedb_path => "/dev/null"
    start_position => "beginning"
    codec => multiline {
      pattern => "<Report |</NessusClientData_v2>"
      auto_flush_interval => 1
      negate => "true"
      what => "previous"
      max_lines => 1000000000
      max_bytes => "50 MiB"

    }
      tags => "nessus"
      type => "nessus"
  }
}

filter {
  ##interpret the message as XML
    if [type] == "nessus" {
        xml {
            source => "message"
            store_xml => "false"
            force_array => "false"
            
            xpath => ["/Report/ReportHost/@name", host_ip]
            xpath => ["/Report/ReportHost/ReportItem/@pluginName", plugin_name]
            xpath => ["/Report/ReportHost/ReportItem/@pluginID", plugin_id]
            xpath => ["/Report/ReportHost/ReportItem/@severity", risk_score]
            xpath => ["/Report/ReportHost/ReportItem/@port", port]
            xpath => ["/Report/ReportHost/ReportItem/@svc_name", svc_name]
            xpath => ["/Report/ReportHost/ReportItem/@protocol", protocol]
            xpath => ["/Report/ReportHost/ReportItem/@pluginFamily", plugin_family]
            xpath => ["/Report/ReportHost/ReportItem/description/text()", description]
            xpath => ["/Report/ReportHost/ReportItem/risk_factor/text()", risk_factor]
            xpath => ["/Report/ReportHost/ReportItem/see_also/text()", see_also]
            xpath => ["/Report/ReportHost/ReportItem/solution/text()", solution]
            xpath => ["/Report/ReportHost/ReportItem/synopsis/text()", synopsis]
            xpath => ["/Report/ReportHost/ReportItem/plugin_output/text()", plugin_output]
            xpath => ["/Report/ReportHost/HostProperties/tag[@name='HOST_START']/text()", report_host_start]
            xpath => ["/Report/ReportHost/HostProperties/tag[@name='HOST_END']/text()", report_host_end]
        }
        mutate {
          remove_field => ["message"]
          convert => {
              "risk_score" => "integer"
          }
        }

        date {
            match => ["report_host_start", "EEE MMM dd HH:mm:ss yyyy"]
            target => "report_host_start"
            locale => "en_US"
        }
        date {
            match => ["report_host_end", "EEE MMM dd HH:mm:ss yyyy"]
            target => "report_host_end"
            locale => "en_US"
        }
 
    }
}

output {
     elasticsearch { 
        hosts => ["localhost:9200"]
        index => "nessus-data-%{+YYYY.MM.dd}"
      }
      stdout { codec => rubydebug }
}

Jenni · October 31, 2018, 10:47am

This might help: Split ES event

ramanna_hk · November 1, 2018, 6:30am

Thanks @Jenni, i did it.

system · November 29, 2018, 6:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing nessus XML in Logstash Logstash	23	6586	March 24, 2018
Nessus XML Parsing Errors and No output Logstash	1	477	December 28, 2021
Multiline XML not parsing Logstash	1	220	July 14, 2020
Xpath output brings arrays instead of json Logstash	1	277	November 7, 2018
Custom index with field from xpath Logstash	9	2031	May 24, 2017

XML parsing using logstash

Related topics