Our vulnerability scanner is only able to provide XML output and i would like to get this into Splunk. The problem I am running into is that each system can have multiple events called audits. I would like to know how to set up the BREAK_ONLY_BEFORE and MUST_BREAK_AFTER parameters to match the audits to each system.
Data format is
`
<host>
<ip>10.12.60.24</ip>
<audit>
<cve>CVE-1</cve>
</audit>
<audit>
<cve>CVE-2</cve>
</audit>
</host>
<ip>10.12.60.25</ip>
<audit>
<cve>CVE-4</cve>
</audit>
<audit>
<cve>CVE-8</cve>
</audit>
</host>
`
I would then be able to generate a table that would look like this
System Audit1 Audit2
10.12.60.24 CVE-1 CVE-2
10.12.60.24 CVE-4 CVE-8
Regards,
Scott
Unfortunately you cannot break the events the way you're hoping, however taking an event like <host> <ip>10.12.60.24</ip> <audit> <cve>CVE-1</cve> </audit> <audit> <cve>CVE-2</cve> </audit> </host>
you have a few options at search time to extract the data how you want, however that will depend a bit on the structure of the log. For example, are there always two audit events? Or can there be multiple events?
There can be dozens of audit events per IP with no consistency between them. What I am saying is that IP 10.12.60.24 can have 30 cves, 10.12.60.25 can have 56 cves, 10.12.60.26 can have 4 cves and 10.12.60.25 can have 100 cves. I am thinking that I might have to run a report that takes in the indexed data that I do a BREAK on IP, have that ouput a csv file and try and extract the cves that way.
I am little confused,
Do you want to break events at <audit>
tag? This will give you many single line events like <audit> <cve>CVE-1</cve> </audit>
, <audit> <cve>CVE-2</cve> </audit>
. OR do you want to extract values of <cve>
between audit tags?
Please explain further if I misinterpreted your question.
The format of the file didn't quite come out the way I wanted, so it is a little hard to visualize. I would like to extract the values of for each . The problem I am running into is if I do the break at , the sections aren't broken up and all the data is one big line that can have dozens of CVEs, with each host having different outputs. When I break at the , this loses the pointer back to the . Is there a way to do "nested" breaks?
Thanks,
Scott