/Procmon-XML.json
Created May 9, 2017
| input { | |
| file { | |
| path => "/Somedir/Output/Logfile.XML" | |
| start_position => beginning | |
| sincedb_path => "/dev/null" | |
| codec => multiline { | |
| pattern => "(<process>|<event>)" | |
| negate => "true" | |
| what => "previous" | |
| auto_flush_interval => 1 | |
| max_lines => 2000 | |
| } | |
| } | |
| } | |
| filter { | |
| mutate { | |
| gsub => [ | |
| "message", "<procmon><processlist>", "", | |
| "message", "\r", "" | |
| ] | |
| } | |
| xml { | |
| source => "message" | |
| store_xml => false | |
| xpath => [ | |
| "/process/ProcessIndex/text()", "ProcessIndex", | |
| "/process/ProcessId/text()", "ProcessId", | |
| "/process/ParentProcessId/text()", "ParentProcessId", | |
| "/process/ParentProcessIndex/text()", "ParentProcessIndex", | |
| "/process/AuthenticationId/text()", "AuthenticationId", | |
| "/process/CreateTime/text()", "CreateTime", | |
| "/process/FinishTime/text()", "FinishTime", | |
| "/process/IsVirtualized/text()", "IsVirtualized", | |
| "/process/Integrity/text()", "Integrity", | |
| "/process/Owner/text()", "Owner", | |
| "/process/ProcessName/text()", "ProcessName", | |
| "/process/ImagePath/text()", "ImagePath", | |
| "/process/CommandLine/text()", "CommandLine", | |
| "/process/CompanyName/text()", "CompanyName", | |
| "/process/Version/text()", "Version", | |
| "/process/Description/text()", "Description", | |
| "/process/modulelist", "modulelist" | |
| ] | |
| } | |
| xml { | |
| source => "modulelist" | |
| store_xml => false | |
| xpath => [ | |
| "/module/Path/text()","LoadedModules" | |
| ] | |
| } | |
| xml { | |
| source => "message" | |
| store_xml => false | |
| xpath => [ | |
| "/event/ProcessIndex/text()","ProcessIndex", | |
| "/event/Time_of_Day/text()","Time_of_Day", | |
| "/event/Process_Name/text()","Process_Name", | |
| "/event/PID/text()","PID", | |
| "/event/Operation/text()","Operation", | |
| "/event/Result/text()","ResultResult", | |
| "/event/DetailDetail/text()","Detail" | |
| ] | |
| } | |
| mutate { | |
| remove_field => ['message','modulelist'] | |
| } | |
| } | |
| output | |
| { | |
| elasticsearch | |
| { | |
| hosts => "localhost" | |
| index => "logstash-" | |
| document_type => "Procmon" | |
| } | |
| stdout { codec =>rubydebug} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment