Hi,
I am using the XML filter to ingest a file that looks like this:
<Events>
... other events
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-WinINet" Guid="{43d1a55c-76d6-4f7e-995c-64c711e5cafe}" />
<EventID>108</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>503</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2020-03-27T14:08:47.392601500+00:00" />
<Correlation ActivityID="{00cc000c-12e5-0000-dc12-fc05e043051f}" />
<Execution ProcessID="4828" ThreadID="1532" ProcessorID="0" KernelTime="24105" UserTime="18705" />
<Channel>Microsoft-Windows-WinINet/Analytic</Channel>
<Computer />
</System>
<EventData>
<Data Name="ConnectionHandle">0xCC000C</Data>
<Data Name="_ServerNameLength">17</Data>
<Data Name="ServerName">xxxyyyyy.zzzz.com</Data>
<Data Name="ServerPort"> 15148</Data>
<Data Name="_ServiceLength">4</Data>
<Data Name="Service">http</Data>
</EventData>
<RenderingInfo Culture="en-GB">
<Level>Information </Level>
<Opcode>Info </Opcode>
<Keywords>
<Keyword>Flagged on all WinINet events dealing with creation or destruction of INTERNET handles </Keyword>
</Keywords>
<Task>WININET_HTTP_REQUEST_HANDLE_CREATED </Task>
<Message>Request handle 0xCC000C Server Details: Server=xxxyyyyy.zzzz.com Port=15148 Service=http </Message>
<Channel>Microsoft-Windows-WinINet/Analytic</Channel>
<Provider>Microsoft-Windows-WinINet </Provider>
</RenderingInfo>
</Event>
... other events
</Events>
The filter section of my config file looks like this:
filter {
xml {
remove_namespaces => true
source => "message"
target => "wininet"
store_xml => true
force_array => false
xpath => [ "//Event/System/TimeCreated/@SystemTime", "SystemTime" ]
xpath => [ "//Event/System/EventID/text()", "EventID" ]
xpath => [ "//Event/System/Task/text()", "Task" ]
xpath => [ "//Event/System/Opcode/text()", "Opcode" ]
xpath => [ "//Event/System/Execution/@ProcessID", "ProcessID" ]
xpath => [ "//Event/System/Execution/@ThreadID", "ThreadID" ]
xpath => [ "//Event/System/Execution/@UserTime", "UserTime" ]
xpath => [ "//Event/System/Execution/@KernelTime", "KernelTime" ]
xpath => [ "//Event/EventData/Data[@Name='URL']/text()", "URL" ]
xpath => [ "//Event/EventData/Data[@Name='ServerName']/text()", "ServerName" ]
xpath => [ "//Event/EventData/Data[@Name='ConnectionHandle']/text()", "ConnectionHandle" ]
xpath => [ "//Event/EventData/Data[@Name='Status']/text()", "Status" ]
xpath => [ "//Event/EventData/Data[@Name='Verb']/text()", "Verb" ]
xpath => [ "//Event/EventData/Data[@Name='RequestHeader']/text()", "RequestHeader" ]
xpath => [ "//Event/EventData/Data[@Name='ResponseHeader']/text()", "ResponseHeader" ]
xpath => [ "//Event/EventData/Data[@Name='ResponseCode']/text()", "ResponseCode" ]
xpath => [ "//Event/EventData/Data[@Name='Error']/text()", "Error" ]
xpath => [ "//Event/EventData/Data[@Name='ConnectionHandle']/text()", "ConnectionHandle" ]
xpath => [ "//Event/RenderingInfo/Task/text()", "Task" ]
xpath => [ "//Event/RenderingInfo/Message/text()", "Message" ]
}
}
When I run Logstash, I get:
An unexpected error occurred! {:error=>java.lang.IllegalStateException: java.lang.ClassCastException: Cannot cast org.jruby.specialized.RubyArrayTwoObject to org.jruby.RubyString
If I comment out the configuration line referring to ConnectionHandle
everything works OK, including the ingestion of ServerName
. The format of the ConnectionHandle
and ServerName
values in the XML look the same, and the xpath parameters look the same.
What am I doing wrong?