XML Processing Help

msr1716

Hey, if I have an event that is coming into Crible Stream, with format
of “<?xml version="1.0" encoding="UTF-8"?>” how would I convert
the event to JSON?
I see the use of C.Text.parseXml(_raw, false), but that
doesnt seem to parse it properly for me. Maybe I’m doing it wrong, but
it doesnt seem to get parsed. How would I do that? Tools such as NiFi
can convert from XML to JSON easily and quickly, but this seems a bit
harder.

Eugene Katz

This setup worked for me. Can you check where yours differs?

Eugene Katz

Can you share a sanitized or stripped down example XML you’re having
trouble parsing? Does each event start with <?xml> tag, or a file
with multiple events?

msr1716

@eugene its similar to McAfee HBSS data such as:

<?xml version="1.0" encoding="UTF-8"?>
<SCORData>
    <MachineInfo>
        <MachineName>HOSTNAME</MachineName>
        <AgentGUID>GUID HERE</AgentGUID>
        <IPAddress>127.0.0.1</IPAddress>
        <OSName>Windows 8 Workstation</OSName>
        <UserName>SYSTEM</UserName>
        <TimeZoneBias>-60</TimeZoneBias>
        <RawMACAddress>123456789012</RawMACAddress>
    </MachineInfo>
    <SCORSoftware ProductName="Solidifier" ProductVersion="8.2.0.140" ProductFamily="Secure">
        <SCOREvent>
            <EventID>12321</EventID>
            <Severity>1</Severity>
            <GMTTime>2000-11-21T11:31:57</GMTTime>
            <SCORevent_name>COMMAND_EXECUTED</SCORevent_name>
            <SCORevt_id>8</SCORevt_id>
            <SCORevt_type>EVT_CAT_TYPE_INFO</SCORevt_type>
            <SCORevt_sink>7</SCORevt_sink>
            <SCORseq_no>1</SCORseq_no>
            <SCORtime_stamp>1637494316200</SCORtime_stamp>
            <SCORserver_state>0</SCORserver_state>
            <SCORend_time>Sun Nov 21 2000 12:31:56</SCORend_time>
            <SCORuser_name>...</SCORuser_name>
            <SCORcmd_line>...</SCORcmd_line>
            <SCORstatus>0</SCORstatus>
        </SCOREvent>
    </SCORSoftware>
</SCORData>

Eugene Katz

This setup worked for me. Can you check where yours differs?

msr1716

@eugene It looks like that works. Thanks. That helps. Would be nice to have that included in the official documentation

Eugene Katz

Glad it helped! Please mark the answer as the Solution when you have a chance.

Would be nice to have that included in the official documentation

I’ll talk to the docs team about making an update. What was the new
insight you gained from my answer? How was it different from what you
were trying to do?

msr1716

@eugene the documentation Reducing Windows XML Events | Cribl Docs shows that it can be run like: C.Text.parseXml(_raw, false) so with 2 variables not 1 in the parenthesis. C.Text.parseXml(_raw, false) , which is different than what worked of C.Text.parseXml(_raw)

Eugene Katz

Strange. With the sample you shared, C.Text.parseXml(_raw,false) works (as does true) just as well for me. I wonder if something else.