- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_session_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Decode XML
editDecode XML
editThe decode_xml
processor decodes XML data that is stored under the field
key. It outputs the result into the target_field
.
This example demonstrates how to decode an XML string contained in the message
field and write the resulting fields into the root of the document. Any fields
that already exist will be overwritten.
processors: - decode_xml: field: message target_field: "" overwrite_keys: true
By default any decoding errors that occur will stop the processing chain and the
error will be added to error.message
field. To ignore all errors and continue
to the next processor you can set ignore_failure: true
. To specifically
ignore failures caused by field
not existing you can set ignore_missing: true
.
processors: - decode_xml: field: example target_field: xml ignore_missing: true ignore_failure: true
By default all keys converted from XML will have the names converted to lowercase. If there is a need to disable this behavior it is possible to use the below example:
processors: - decode_xml: field: message target_field: xml to_lower: false
Example XML input:
<catalog> <book seq="1"> <author>William H. Gaddis</author> <title>The Recognitions</title> <review>One of the great seminal American novels of the 20th century.</review> </book> </catalog>
Will produce the following output:
{ "xml": { "catalog": { "book": { "author": "William H. Gaddis", "review": "One of the great seminal American novels of the 20th century.", "seq": "1", "title": "The Recognitions" } } } }
The supported configuration options are:
-
field
-
(Required) Source field containing the XML. Defaults to
message
. -
target_field
-
(Optional) The field under which the decoded XML will be
written. By default the decoded XML object replaces the field from which it was
read. To merge the decoded XML fields into the root of the event specify
target_field
with an empty string (target_field: ""
). Note that thenull
value (target_field:
) is treated as if the field was not set at all. -
overwrite_keys
-
(Optional) A boolean that specifies whether keys that already
exist in the event are overwritten by keys from the decoded XML object. The
default value is
true
. -
to_lower
-
(Optional) Converts all keys to lowercase. Accepts either
true
orfalse
. The default value istrue
. -
document_id
-
(Optional) XML key to use as the document ID. If configured, the
field will be removed from the original XML document and stored in
@metadata._id
. -
ignore_missing
-
(Optional) If
true
the processor will not return an error when a specified field does not exist. Defaults tofalse
. -
ignore_failure
-
(Optional) Ignore all errors produced by the processor.
Defaults to
false
.
See Conditions for a list of supported conditions.