Xml decoder filebeat linux

Hello Community, I have an issue in xml decoder, I’m trying to decode sysmon for linuxs logs i’m using filebeat to send the logs from ubuntu server to my graylog everything works great however filebeat is decoding the keys instead of values of the message.

here is what my graylog showing after decoding.

• it’s showing the decoded keys not the values.
  
  

  gray1420×660 20.4 KB

here is my filebeat configuration

filebeat721×288 6.71 KB

what am I missing in my filebeat configuration.

my environment:
ubuntu server 22
graylog 5.0
elasticsearch 7.10
mongo 6
filebeat 8.0

anyone who can help please?

Hi @tijaabo,

I don’t see that Elastic supports collecting XML from sysinternals for linux using filebeat (see link below). I do see that sysmon can output via syslog. Perhaps that would be a better path forward.

OR I also see that nxlog supports collection of sysmon for linus. See last link below.

Good luck!

hey @joe.gross thanks for the replay. I did some research and I know nxlog is the best option for collecting sysmon for linux.
Can you help me how to deploy nxlog comunity version on linux because I can’t see any tutorials about it.
I checked also nxlog website there is no guidelines about how to install nxlog on linux.

thanks.

Try this for getting it installed. Then google collecting sysmon for linux with nxlog and you should find something that will show you how to set the nxlog configuration file.

Good luck!

hey @joe.gross thanks for the replies I finally solved my issue.
I used filebreat decode xml wineventlog

for people who may search for future here is the processor I used

processors:

• decode_xml_wineventlog:
  field: event.original
  target_field: winlog

@tijaabo, that’s great news. Thank you for coming back to post the solution for other users!

Happy Graylogging!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.