XML Processing Help

Technical Question
, , , ,
1

Hey, if I have an event that is coming into Crible Stream, with format of “<?xml version="1.0" encoding="UTF-8"?>” how would I convert the event to JSON?
I see the use of C.Text.parseXml(_raw, false), but that doesnt seem to parse it properly for me. Maybe I’m doing it wrong, but it doesnt seem to get parsed. How would I do that? Tools such as NiFi can convert from XML to JSON easily and quickly, but this seems a bit harder.

2

Can you share a sanitized or stripped down example XML you’re having trouble parsing? Does each event start with <?xml> tag, or a file with multiple events?

3

@eugene its similar to McAfee HBSS data such as:

<?xml version="1.0" encoding="UTF-8"?>
<SCORData>
    <MachineInfo>
        <MachineName>HOSTNAME</MachineName>
        <AgentGUID>GUID HERE</AgentGUID>
        <IPAddress>127.0.0.1</IPAddress>
        <OSName>Windows 8 Workstation</OSName>
        <UserName>SYSTEM</UserName>
        <TimeZoneBias>-60</TimeZoneBias>
        <RawMACAddress>123456789012</RawMACAddress>
    </MachineInfo>
    <SCORSoftware ProductName="Solidifier" ProductVersion="8.2.0.140" ProductFamily="Secure">
        <SCOREvent>
            <EventID>12321</EventID>
            <Severity>1</Severity>
            <GMTTime>2000-11-21T11:31:57</GMTTime>
            <SCORevent_name>COMMAND_EXECUTED</SCORevent_name>
            <SCORevt_id>8</SCORevt_id>
            <SCORevt_type>EVT_CAT_TYPE_INFO</SCORevt_type>
            <SCORevt_sink>7</SCORevt_sink>
            <SCORseq_no>1</SCORseq_no>
            <SCORtime_stamp>1637494316200</SCORtime_stamp>
            <SCORserver_state>0</SCORserver_state>
            <SCORend_time>Sun Nov 21 2000 12:31:56</SCORend_time>
            <SCORuser_name>...</SCORuser_name>
            <SCORcmd_line>...</SCORcmd_line>
            <SCORstatus>0</SCORstatus>
        </SCOREvent>
    </SCORSoftware>
</SCORData>
4

This setup worked for me. Can you check where yours differs?

image
image1187×647 78.4 KB

5

@eugene It looks like that works. Thanks. That helps. Would be nice to have that included in the official documentation

6

Glad it helped! Please mark the answer as the Solution when you have a chance.

I’ll talk to the docs team about making an update. What was the new insight you gained from my answer? How was it different from what you were trying to do?

7

@eugene the documentation Reducing Windows XML Events | Cribl Docs shows that it can be run like: C.Text.parseXml(_raw, false) so with 2 variables not 1 in the parenthesis. C.Text.parseXml(_raw, false) , which is different than what worked of C.Text.parseXml(_raw)

1 UpGoat
8

Strange. With the sample you shared, C.Text.parseXml(_raw,false) works (as does true) just as well for me. I wonder if something else.