Kvetch/Procmon-XML.json

## Procmon-XML.json
input {
  file {
    path => "/Somedir/Output/Logfile.XML"
    start_position => beginning
    sincedb_path => "/dev/null"
    codec => multiline {
      pattern => "(<process>|<event>)"
      negate => "true"
      what => "previous"
      auto_flush_interval => 1
      max_lines => 2000
    }
  }
}

filter {
  mutate {
    gsub => [
      "message", "<procmon><processlist>", "",
      "message", "\r", ""
    ]

  }
  xml {
    source => "message"
    store_xml => false
    xpath => [
      "/process/ProcessIndex/text()", "ProcessIndex",
      "/process/ProcessId/text()", "ProcessId",
      "/process/ParentProcessId/text()", "ParentProcessId",
      "/process/ParentProcessIndex/text()", "ParentProcessIndex",
      "/process/AuthenticationId/text()", "AuthenticationId",
      "/process/CreateTime/text()", "CreateTime",
      "/process/FinishTime/text()", "FinishTime",
      "/process/IsVirtualized/text()", "IsVirtualized",
      "/process/Integrity/text()", "Integrity",
      "/process/Owner/text()", "Owner",
      "/process/ProcessName/text()", "ProcessName",
      "/process/ImagePath/text()", "ImagePath",
      "/process/CommandLine/text()", "CommandLine",
      "/process/CompanyName/text()", "CompanyName",
      "/process/Version/text()", "Version",
      "/process/Description/text()", "Description",
      "/process/modulelist", "modulelist"
    ]
  }
  xml {
    source => "modulelist"
    store_xml => false
    xpath => [
      "/module/Path/text()","LoadedModules"
    ]
  }
xml {
  source => "message"
  store_xml => false
  xpath => [
    "/event/ProcessIndex/text()","ProcessIndex",
    "/event/Time_of_Day/text()","Time_of_Day",
    "/event/Process_Name/text()","Process_Name",
    "/event/PID/text()","PID",
    "/event/Operation/text()","Operation",
    "/event/Result/text()","ResultResult",
    "/event/DetailDetail/text()","Detail"
  ]
}
mutate {
remove_field => ['message','modulelist']
}
}
output
{
    elasticsearch
    {
        hosts => "localhost"
        index => "logstash-"
        document_type => "Procmon"
    }
stdout { codec =>rubydebug}
}
	input {
	file {
	path => "/Somedir/Output/Logfile.XML"
	start_position => beginning
	sincedb_path => "/dev/null"
	codec => multiline {
	pattern => "(<process>\|<event>)"
	negate => "true"
	what => "previous"
	auto_flush_interval => 1
	max_lines => 2000
	}
	}
	}

	filter {
	mutate {
	gsub => [
	"message", "<procmon><processlist>", "",
	"message", "\r", ""
	]

	}
	xml {
	source => "message"
	store_xml => false
	xpath => [
	"/process/ProcessIndex/text()", "ProcessIndex",
	"/process/ProcessId/text()", "ProcessId",
	"/process/ParentProcessId/text()", "ParentProcessId",
	"/process/ParentProcessIndex/text()", "ParentProcessIndex",
	"/process/AuthenticationId/text()", "AuthenticationId",
	"/process/CreateTime/text()", "CreateTime",
	"/process/FinishTime/text()", "FinishTime",
	"/process/IsVirtualized/text()", "IsVirtualized",
	"/process/Integrity/text()", "Integrity",
	"/process/Owner/text()", "Owner",
	"/process/ProcessName/text()", "ProcessName",
	"/process/ImagePath/text()", "ImagePath",
	"/process/CommandLine/text()", "CommandLine",
	"/process/CompanyName/text()", "CompanyName",
	"/process/Version/text()", "Version",
	"/process/Description/text()", "Description",
	"/process/modulelist", "modulelist"
	]
	}
	xml {
	source => "modulelist"
	store_xml => false
	xpath => [
	"/module/Path/text()","LoadedModules"
	]
	}
	xml {
	source => "message"
	store_xml => false
	xpath => [
	"/event/ProcessIndex/text()","ProcessIndex",
	"/event/Time_of_Day/text()","Time_of_Day",
	"/event/Process_Name/text()","Process_Name",
	"/event/PID/text()","PID",
	"/event/Operation/text()","Operation",
	"/event/Result/text()","ResultResult",
	"/event/DetailDetail/text()","Detail"
	]
	}
	mutate {
	remove_field => ['message','modulelist']
	}
	}
	output
	{
	elasticsearch
	{
	hosts => "localhost"
	index => "logstash-"
	document_type => "Procmon"
	}
	stdout { codec =>rubydebug}
	}