logstashの設定ファイルがChatGPTで生成できるという話
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Service Control Manager" Guid="{GUID}" EventSourceName="Service Control Manager" />
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2023-05-23T10:15:27.000000Z" />
<EventRecordID>123456</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>ComputerName</Computer>
<Security />
</System>
<EventData>
<Data Name="param1">Windows Update</Data>
<Data Name="param2">running</Data>
<Binary>ABC1234567890</Binary>
</EventData>
</Event>
input {
# Logstashの入力設定(例:ファイル入力)
file {
path => "/path/to/your/event_log.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => multiline {
pattern => "<Event xmlns"
negate => true
what => "previous"
}
}
}
filter {
xml {
source => "message"
target => "parsed"
force_array => false
store_xml => false
xpath => [
"/Event/System/Provider/@Name", "provider_name",
"/Event/System/Provider/@Guid", "provider_guid",
"/Event/System/Provider/@EventSourceName", "event_source_name",
"/Event/System/EventID/text()", "event_id",
"/Event/System/Version/text()", "version",
"/Event/System/Level/text()", "level",
"/Event/System/Task/text()", "task",
"/Event/System/Opcode/text()", "opcode",
"/Event/System/Keywords/text()", "keywords",
"/Event/System/TimeCreated/@SystemTime", "time_created",
"/Event/System/EventRecordID/text()", "event_record_id",
"/Event/System/Channel/text()", "channel",
"/Event/System/Computer/text()", "computer",
"/Event/EventData/Data[@Name='param1']/text()", "param1",
"/Event/EventData/Data[@Name='param2']/text()", "param2"
]
}
}
output {
# Logstashの出力設定(例:標準出力)
stdout {
codec => rubydebug
}