hi here !
I'm actually trying to parse some XML logs for my ELK satck,
but i don't understand what i did wrong ...
My logstash conf file :
> input {
> udp {
> port => 5514
> type => "log_xml"
> }
> }
>
> filter {
> if [type] == "log_xml" {
> grok {
> match => [ "message", "%{GREEDYDATA:inxml}" ]
> }
>
> xml {
>
> source => "inxml"
> store_xml => "false"
> xpath => ["/fault/@type","type_fault"]
> xpath => ["/fault/@severity","level_fault"]
> xpath => ["/fault/@active","active_fault"]
> xpath => ["/fault/@code","code_err"]
> xpath => ["/fault/@date","timestamp_fault"]
> xpath => ["/fault/@host","MAChost_fault"]
> xpath => ["/fault/@xsl","xsl_fault"]
> xpath => ["/fault/text","text_fault"]
> xpath => ["/fault/source", "source_fault"]
>
>
> }
>
> }
> }
> output {
> if "log_xml" in [tags] {
>
> elasticsearch {
> hosts => ["localhost:9200"]
> sniffing => true
> manage_template => false
> }
> stdout { codec => rubydebug}
> }
> }
My input logs look like :
<fault type=alarm severity=1 active=true code=0x00010001 date=1471436724 host=IP800-06-1f-88 xsl=fault_relay.xsl><text>Interface down</text><source>RELAY/TEL4</source></fault>
or
<fault type="clear" code="0x00010001" date="1471436715" host="IP800-06-1f-88"><text>Interface down</text><source>RELAY/TEL4</source></fault>
I think my xml filter don't work, it's a fact 
my output in logstash.stdout :
{ "message" => "<fault type=alarm severity=1 active=true code=0x00010001 date=1471436724 host=IP800-06-1f-88 xsl=fault_relay.xsl><text>Interface down</text><source>RELAY/TEL4</source></fault>", "@version" => "1", "@timestamp" => "2016-08-18T14:40:47.548Z", "type" => "log_xml", "host" => "127.0.0.1", "inxml" => "<fault type=alarm severity=1 active=true code=0x00010001 date=1471436724 host=IP800-06-1f-88 xsl=fault_relay.xsl><text>Interface down</text><source>RELAY/TEL4</source></fault>" }
I tryed many things, and solutions, but i can't fix this .....
thank's for your help,
regards,
Mr.Nice