Create a gist now

Instantly share code, notes, and snippets.

@Kvetch /Procmon-XML.json
Created May 9, 2017

Embed
What would you like to do?
Download ZIP
Raw
Procmon-XML.json
input {
file {
path => "/Somedir/Output/Logfile.XML"
start_position => beginning
sincedb_path => "/dev/null"
codec => multiline {
pattern => "(<process>|<event>)"
negate => "true"
what => "previous"
auto_flush_interval => 1
max_lines => 2000
}
}
}
filter {
mutate {
gsub => [
"message", "<procmon><processlist>", "",
"message", "\r", ""
]
}
xml {
source => "message"
store_xml => false
xpath => [
"/process/ProcessIndex/text()", "ProcessIndex",
"/process/ProcessId/text()", "ProcessId",
"/process/ParentProcessId/text()", "ParentProcessId",
"/process/ParentProcessIndex/text()", "ParentProcessIndex",
"/process/AuthenticationId/text()", "AuthenticationId",
"/process/CreateTime/text()", "CreateTime",
"/process/FinishTime/text()", "FinishTime",
"/process/IsVirtualized/text()", "IsVirtualized",
"/process/Integrity/text()", "Integrity",
"/process/Owner/text()", "Owner",
"/process/ProcessName/text()", "ProcessName",
"/process/ImagePath/text()", "ImagePath",
"/process/CommandLine/text()", "CommandLine",
"/process/CompanyName/text()", "CompanyName",
"/process/Version/text()", "Version",
"/process/Description/text()", "Description",
"/process/modulelist", "modulelist"
]
}
xml {
source => "modulelist"
store_xml => false
xpath => [
"/module/Path/text()","LoadedModules"
]
}
xml {
source => "message"
store_xml => false
xpath => [
"/event/ProcessIndex/text()","ProcessIndex",
"/event/Time_of_Day/text()","Time_of_Day",
"/event/Process_Name/text()","Process_Name",
"/event/PID/text()","PID",
"/event/Operation/text()","Operation",
"/event/Result/text()","ResultResult",
"/event/DetailDetail/text()","Detail"
]
}
mutate {
remove_field => ['message','modulelist']
}
}
output
{
elasticsearch
{
hosts => "localhost"
index => "logstash-"
document_type => "Procmon"
}
stdout { codec =>rubydebug}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment