Converting XML to syslog | Log collection solutions

#1 Callahan 7 years ago

Hi, I'm looking at trying to convert an XML file from one of our filers containing this XML file below (top line is different to rest of the xml) into a syslog output: ` 4656Open Object101.3CIFS000x8020000000000000Audit SuccessSecurityservercf380853-6606-11e6-9638-00a098a5e1db/2fe0edc3-723f-11e7-ab83-00a098a627d4192.168.0.24S-1-5-21-1997283580-3459341067-486214353-122727falseDomainfirstname.lastnameSecurityDirectory000000000004cc;00;00000061;2a5f8706(server);/share%%4416 %%4423 81Read Data; List Directory; Read Attributes; ` Currently I have the following config but I'm not getting anything sent to the syslog server running on the same box (for testing purposes at present): define ROOT C:\Program Files (x86)\nxlog Module xm_gelf Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log Module xm_multiline HeaderLine /^/ EndLine /^/ Module xm_xml Module xm_json Module im_file File "C:\\audit.xml" SavePos FALSE ReadFromLast FALSE InputType multiline # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^/ drop(); # Parse the xml event parse_xml(); # Rewrite some fields #$EventTime = parsedate($timestamp); #delete($timestamp); #delete($EventReceivedTime); # Convert to JSON to_json(); Module om_udp Host 192.168.0.12 Port 2548 Path in => out Can anyone point me at where I'm going wrong? Thanks for your help.

Permalink

#2 b0ti Nxlog ✓ 7 years ago (Last updated 7 years ago )

#1 Callahan

Hi, I'm looking at trying to convert an XML file from one of our filers containing this XML file below (top line is different to rest of the xml) into a syslog output: `<Events xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog"> <Event><System><Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2017-12-15T10:34:51.979061000Z"/><Correlation/><Channel>Security</Channel><Computer>server</Computer><ComputerUUID>cf380853-6606-11e6-9638-00a098a5e1db/2fe0edc3-723f-11e7-ab83-00a098a627d4</ComputerUUID><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">192.168.0.24</Data><Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-1997283580-3459341067-486214353-122727</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Domain</Data><Data Name="SubjectUserName">firstname.lastname</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">000000000004cc;00;00000061;2a5f8706</Data><Data Name="ObjectName">(server);/share</Data><Data Name="AccessList">%%4416 %%4423 </Data><Data Name="AccessMask">81</Data><Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data><Data Name="Attributes"></Data></EventData></Event>` Currently I have the following config but I'm not getting anything sent to the syslog server running on the same box (for testing purposes at present): define ROOT C:\Program Files (x86)\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir %ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir %ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension multiline> Module xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json </Extension> <Input in> Module im_file File "C:\\audit.xml" SavePos FALSE ReadFromLast FALSE InputType multiline <Exec> # Discard everything that doesn't seem to be an xml event if $raw_event !~ /^<event>/ drop(); # Parse the xml event parse_xml(); # Rewrite some fields #$EventTime = parsedate($timestamp); #delete($timestamp); #delete($EventReceivedTime); # Convert to JSON to_json(); </Exec> </Input> <Output out> Module om_udp Host 192.168.0.12 Port 2548 </Output> <Route 1> Path in => out </Route> Can anyone point me at where I'm going wrong? Thanks for your help.

The config with xm_multiline will read XML when the tags are on separate lines like this:

<Event>
  <Foo>foo</Foo>
  <Bar>bar</Bar>
</Event>

In this case it looks like your events are in a single line.

Also looking at the data I see that this is XML extracted from the windows eventlog. You might want to consider using the im_msvistalog module to read that directly. There is a File directive for im_msvistalog in the Enterprise Edition that lets you read .evtx files directly that netapp creates.