I am trying to parse XML reports (that I receive from OpenVas) in Splunk.But I am not able to find the right way to do it. I haven't found much documentation around this either. I've read up on whatever I could find, but nothing helped. I've tried xmlkv and xpath commands to try and parse the XML. But I am at a complete loss because these reports are really big and its difficult to find a correlation between the fields. I've been trying to figure this out for a couple of months but I haven't come up with a good solution so far. Also because some of the fields are deeply nested, its getting complicated to extract these fields keeping the structure intact. Is it a good idea to still attempt to parse these fields or should I consider changing the report format? As much as possible, I'd like to avoid that. I'm receiving this report on a port as a single event (meaning, the complete report of about 100 lines is indexed as a single event in Splunk).
Any help on this will be greatly appreciated. I can provide a sample of the file if it is necessary.
Thank you.
Anything about openvas vulnerability scans in xml format ?
Hi
I know this is an old post, but did you ever get this working. I am using openvas too
Thanks
You should be looking at the spath command (as long as you on version 4.3 or higher). xmlkv and xpath are somewhat more complex and less flexible.
Ok, thank you for the quick response. I tried using spath like this,
whatever_search | spath output=scan_end path=report.report.scan_end
The XML format:
...
So the scan_end field should contain "Sat Mar 31 21:16:59 2012", correct? But I don't see that field at all. Am I missing something?