nxlog.co
Open in
urlscan Pro
159.89.90.74
Public Scan
URL:
https://nxlog.co/community-forum/t/504-converting-xml-to-syslog
Submission: On July 28 via manual from US — Scanned from DE
Submission: On July 28 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
Name: mc-embedded-subscribe-form — POST https://nxlog.us20.list-manage.com/subscribe/post?u=dab0e89b21e669470d8b6c1df&id=52b24d0394
<form action="https://nxlog.us20.list-manage.com/subscribe/post?u=dab0e89b21e669470d8b6c1df&id=52b24d0394" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form" class="validate" target="_blank" novalidate="novalidate">
<div id="mc_embed_signup_scroll">
<div class="mc-field-group">
<div class="input-group mb-3">
<input type="email" value="" placeholder="Email" name="EMAIL" class="required email form-control" id="mce-EMAIL" aria-required="true">
<button class="btn btn-outline-secondary" type="submit" id="mc-embedded-subscribe" name="subscribe"><i class="fas fa-chevron-right" aria-hidden="true"></i></button>
</div>
</div>
<div id="mce-responses" class="clear">
<div class="response text-danger" id="mce-error-response" style="display:none"></div>
<div class="response text-success" id="mce-success-response" style="display:none"></div>
</div>
<div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_dab0e89b21e669470d8b6c1df_52b24d0394" tabindex="-1" value=""></div>
<div class="clear"></div>
</div>
</form>Text Content
* Products
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Solution Packs
* Downloads
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
* Solutions
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...
BY INDUSTRY
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
* Partners
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
* Resources
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Case Studies
Customer success stories
Community Forum →
* Support
* Why Nxlog
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
Products
LOG COLLECTOR
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Community Edition
Open-source free log collector
ADD-ONS FOR NXLOG ENTERPRISE EDITION
NXLog Add-Ons
Integration with various software
AGENT MANAGER FOR NXLOG ENTERPRISE EDITION
NXLog Manager
Manage and monitor NXLog instances
NXLog Minder
Hyper-scalable, API-first agent management
DATABASE FOR NXLOG ENTERPRISE EDITION
Raijin Database Engine
The schemaless SQL database for storing events
more from nxlog
Professional Services
Compare NXLog EE and CE
NXLog Solution Packs
Downloads
NXLog Enterprise Edition
Full feature multi-platform log collection
NXLog Manager
Manage and monitor NXLog instances
NXLog Community Edition
Open-source free log collector
Solutions
Integrations
With SIEM, Devices, SaaS...
Specfic OS support
AIX, Linux, FreeBSD
SCADA/ICS
Energy, Oil & Gas, Transport...
Windows Event log
Collect locally or remotely, ..
DNS Logging
Enterprise-grade DNS log...
Log Collection Modes
Agent-based, Agentless or Cloud
Agent Management
Agents management and monitoring
FIM
File Integrity Monitoring
macOS Logging
ULS events, Apple System Logs ...
BY INDUSTRY
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing
Partners
Find a Reseller
Look for our resellers worldwide
Technology Ecosystem
See all our partners and integrations
Partner Program
Join our community of partners
Resources
Documentation
Products guides and integrations
Blog
Tutorials, updates and releases
White papers
Datasheets, infographics and more
Videos
Trainings and tutorial on specific topics
Webinars
Community events and webinars
Case Studies
Customer success stories
Community Forum →
Why Nxlog
About Us
Our journey, team and mission
Customers
Testimonials and case studies
Careers
We are hiring!
Contact Us →
Request trial
*
* Loading...
Log In Sign Up
Request Trial
Log In
* Index
* Recent threads
1. Community forum
2. Converting XML to syslog
CONVERTING XML TO SYSLOG
Tags:
--------------------------------------------------------------------------------
#1 Callahan 5 years ago
Hi,
I'm looking at trying to convert an XML file from one of our filers containing
this XML file below (top line is different to rest of the xml) into a syslog
output:
`<Events xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog">
<Event><System><Provider Name="NetApp-Security-Auditing" Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2017-12-15T10:34:51.979061000Z"/><Correlation/><Channel>Security</Channel><Computer>server</Computer><ComputerUUID>cf380853-6606-11e6-9638-00a098a5e1db/2fe0edc3-723f-11e7-ab83-00a098a627d4</ComputerUUID><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">192.168.0.24</Data><Data Name="SubjectUnix" Uid="65534" Gid="65534" Local="false"></Data><Data Name="SubjectUserSid">S-1-5-21-1997283580-3459341067-486214353-122727</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">Domain</Data><Data Name="SubjectUserName">firstname.lastname</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">000000000004cc;00;00000061;2a5f8706</Data><Data Name="ObjectName">(server);/share</Data><Data Name="AccessList">%%4416 %%4423 </Data><Data Name="AccessMask">81</Data><Data Name="DesiredAccess">Read Data; List Directory; Read Attributes; </Data><Data Name="Attributes"></Data></EventData></Event>`
Currently I have the following config but I'm not getting anything sent to the
syslog server running on the same box (for testing purposes at present):
define ROOT C:\Program Files (x86)\nxlog
<Extension gelf>
Module xm_gelf
</Extension>
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log
<Extension multiline>
Module xm_multiline
HeaderLine /^<event>/
EndLine /^</event>/
</Extension>
<Extension xmlparser>
Module xm_xml
</Extension>
<Extension json>
Module xm_json
</Extension>
<Input in>
Module im_file
File "C:\\audit.xml"
SavePos FALSE
ReadFromLast FALSE
InputType multiline
<Exec>
# Discard everything that doesn't seem to be an xml event
if $raw_event !~ /^<event>/ drop();
# Parse the xml event
parse_xml();
# Rewrite some fields
#$EventTime = parsedate($timestamp);
#delete($timestamp);
#delete($EventReceivedTime);
# Convert to JSON
to_json();
</Exec>
</Input>
<Output out>
Module om_udp
Host 192.168.0.12
Port 2548
</Output>
<Route 1>
Path in => out
</Route>
Can anyone point me at where I'm going wrong?
Thanks for your help.
Permalink
#2 b0ti 5 years ago (Last updated 5 years ago )
#1 Callahan
Hi, I'm looking at trying to convert an XML file from one of our filers
containing this XML file below (top line is different to rest of the xml) into a
syslog output: `<Events
xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog">
<Event><System><Provider Name="NetApp-Security-Auditing"
Guid="{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}"/><EventID>4656</EventID><EventName>Open
Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit
Success</Result><TimeCreated
SystemTime="2017-12-15T10:34:51.979061000Z"/><Correlation/><Channel>Security</Channel><Computer>server</Computer><ComputerUUID>cf380853-6606-11e6-9638-00a098a5e1db/2fe0edc3-723f-11e7-ab83-00a098a627d4</ComputerUUID><Security/></System><EventData><Data
Name="SubjectIP" IPVersion="4">192.168.0.24</Data><Data Name="SubjectUnix"
Uid="65534" Gid="65534" Local="false"></Data><Data
Name="SubjectUserSid">S-1-5-21-1997283580-3459341067-486214353-122727</Data><Data
Name="SubjectUserIsLocal">false</Data><Data
Name="SubjectDomainName">Domain</Data><Data
Name="SubjectUserName">firstname.lastname</Data><Data
Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data
Name="HandleID">000000000004cc;00;00000061;2a5f8706</Data><Data
Name="ObjectName">(server);/share</Data><Data Name="AccessList">%%4416 %%4423
</Data><Data Name="AccessMask">81</Data><Data Name="DesiredAccess">Read Data;
List Directory; Read Attributes; </Data><Data
Name="Attributes"></Data></EventData></Event>` Currently I have the following
config but I'm not getting anything sent to the syslog server running on the
same box (for testing purposes at present): define ROOT C:\Program Files
(x86)\nxlog <Extension gelf> Module xm_gelf </Extension> Moduledir
%ROOT%\modules CacheDir %ROOT%\data Pidfile %ROOT%\data\nxlog.pid SpoolDir
%ROOT%\data LogFile %ROOT%\data\nxlog.log <Extension multiline> Module
xm_multiline HeaderLine /^<event>/ EndLine /^</event>/ </Extension> <Extension
xmlparser> Module xm_xml </Extension> <Extension json> Module xm_json
</Extension> <Input in> Module im_file File "C:\\audit.xml" SavePos FALSE
ReadFromLast FALSE InputType multiline <Exec> # Discard everything that doesn't
seem to be an xml event if $raw_event !~ /^<event>/ drop(); # Parse the xml
event parse_xml(); # Rewrite some fields #$EventTime = parsedate($timestamp);
#delete($timestamp); #delete($EventReceivedTime); # Convert to JSON to_json();
</Exec> </Input> <Output out> Module om_udp Host 192.168.0.12 Port 2548
</Output> <Route 1> Path in => out </Route> Can anyone point me at where I'm
going wrong? Thanks for your help.
The config with xm_multiline will read XML when the tags are on separate lines
like this:
<Event>
<Foo>foo</Foo>
<Bar>bar</Bar>
</Event>
In this case it looks like your events are in a single line.
Also looking at the data I see that this is XML extracted from the windows
eventlog. You might want to consider using the im_msvistalog module to read that
directly. There is a File directive for im_msvistalog in the Enterprise Edition
that lets you read .evtx files directly that netapp creates.
Login to see more
Subscribe to our newsletter to get the latest updates, news, and products
releases.
© Copyright 2023 NXLog Ltd.
PRIVACY POLICY TERMS OF USE
* PRODUCTS
* NXLOG ENTERPRISE EDITION
* NXLOG COMMUNITY EDITION
* NXLOG ADD-ONS
* NXLOG MANAGER
* NXLOG MINDER
* RAIJIN DATABASE
* MORE NXLOG
* COMPARE SOLUTIONS
* INDUSTRIES
* INTERGRATIONS
* FIND A RESELLER
* PARTNER PROGRAM
* RESOURCES
* DOCUMENTATION
* WHITE PAPERS
* WEBINARS
* CASE STUDIES
* TUTORIALS
* BLOG
* COMMUNITY FORUM
* ABOUT US
* WHY NXLOG
* CUSTOMERS
* CAREERS
* CONTACT US
* DOWNLOADS
* NXLOG ENTERPRISE EDITION
* NXLOG COMMUNITY EDITION
* NXLOG MINDER
* NXLOG MANAGER
* NXLOG ADD-ONS
* RAIJIN DATABASE
PreviousNext