Parsing Windows Event LOG XML and sending to Graylog

Tags:

#1 giveen
I am trying to send parse each of these XML fields into a field for graylog to handle, any ideas would help. I've added Module xm_xml and `Exec parse_windows_eventlog_xml(); to_xml();` but I'm not sure what else to do, I'm trying to work with this in the 'message' field The Federation Service validated a new credential. See XML for details. Activity ID: 494a36f8-9b89-4477-8676-0080000000e1 Additional Data XML: FreshCredentials Success None N/A https://xxxxxx.xxxxxxx.edu/adfs/services/trust AD AUTHORITY UNIVERSITY\xxxxxxxxxxxxxx N/A false N/A false N/A false false NotSet N/A N/A https://xxxxx.xxxxxx.edu/adfs/services/trust WSFederation Intranet x.x.94.22 x.x.128.226 N/A N/A N/A Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0 /adfs/ls/
#2 manuel.munozDeactivated Nxlog ✓
#1 giveen
I am trying to send parse each of these XML fields into a field for graylog to handle, any ideas would help. I've added <Extension xml> Module xm_xml </Extension> and Exec parse_windows_eventlog_xml(); to_xml(); but I'm not sure what else to do, I'm trying to work with this in the 'message' field The Federation Service validated a new credential. See XML for details. Activity ID: 494a36f8-9b89-4477-8676-0080000000e1 Additional Data XML: <?xml version="1.0" encoding="utf-16"?> <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit"> <AuditType>FreshCredentials</AuditType> <AuditResult>Success</AuditResult> <FailureType>None</FailureType> <ErrorCode>N/A</ErrorCode> <ContextComponents> <Component xsi:type="ResourceAuditComponent"> <RelyingParty>https://xxxxxx.xxxxxxx.edu/adfs/services/trust</RelyingParty> <ClaimsProvider>AD AUTHORITY</ClaimsProvider> <UserId>UNIVERSITY\xxxxxxxxxxxxxx</UserId> </Component> <Component xsi:type="AuthNAuditComponent"> <PrimaryAuth>N/A</PrimaryAuth> <DeviceAuth>false</DeviceAuth> <DeviceId>N/A</DeviceId> <MfaPerformed>false</MfaPerformed> <MfaMethod>N/A</MfaMethod> <TokenBindingProvidedId>false</TokenBindingProvidedId> <TokenBindingReferredId>false</TokenBindingReferredId> <SsoBindingValidationLevel>NotSet</SsoBindingValidationLevel> </Component> <Component xsi:type="ProtocolAuditComponent"> <OAuthClientId>N/A</OAuthClientId> <OAuthGrant>N/A</OAuthGrant> </Component> <Component xsi:type="RequestAuditComponent"> <Server>https://xxxxx.xxxxxx.edu/adfs/services/trust</Server> <AuthProtocol>WSFederation</AuthProtocol> <NetworkLocation>Intranet</NetworkLocation> <IpAddress>x.x.94.22</IpAddress> <ForwardedIpAddress>x.x.128.226</ForwardedIpAddress> <ProxyIpAddress>N/A</ProxyIpAddress> <NetworkIpAddress>N/A</NetworkIpAddress> <ProxyServer>N/A</ProxyServer> <UserAgentString>Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0</UserAgentString> <Endpoint>/adfs/ls/</Endpoint> </Component> </ContextComponents> </AuditBase>

Can you paste relevant parts of your config?