Best way to parse XML with sidecar before sending to Graylog

Hello,

Fairly new to Graylog and trying to get some Radius/NPS logs ingested using a sidecar on a Windows server. Sidecar setup went okay, I am using the Filebeat module and getting the log data into Graylog. My issue is that the entirety of the logged items are showing up as XML in the message field. I would like to break the XML out into fields. All of my research seems to state that it’s best to process the XML before sending the data to Graylog instead or processing with a pipeline or extractor after the log data is received.

I am just wondering if anyone can share some configuration options for Filebeat that would help to parse the XML or otherwise give some advice on the best way to handle this data. I seem to be struggling to find good info on how to parse the data before it is sent to Graylog.

Currently using Graylog 3.2.

Thank you in advance!

The only possible way I know - is the dissect processor.
But it depends on your input data

Data is seemingly well formed XML on a single line. Seems like it should be a straightforward task but certainly isn’t working out that way. I did find some tips on filebeat configuration but I haven’t been able to test yet.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.