Dashboards & Visualizations

How to parse XML file in Splunk (Qualys report)

danje57
Path Finder

Hi all,

I'm trying for the very first time to parse XML with Splunk.

My file is a Qualys report. Typically, however, I can' t use the Qualys Splunk app as I receive only the XML report file.

I would like to parse it using Splunk, however, I don't know what are the configurations to apply and what are the steps for that.

I need to parse data in stanza and retrieve all information which are in blocks.

Do you have any suggestion?

An example of the content of the XML file:

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE SCAN SYSTEM "https://qualysguard.qualys.eu/scan-1.dtd">
<SCAN value="scan/1461622087.17863">

<HEADER>
  <KEY value="USERNAME">username</KEY>
  <KEY value="COMPANY"><![CDATA[Five Security]]></KEY>
  <KEY value="DATE">2016-04-25T22:08:07Z</KEY>
  <KEY value="TITLE"><![CDATA[MYNAME - Standard PCI Scan]]></KEY>
  <KEY value="TARGET"><![CDATA[10.10.10.10-20.20.20.20]]></KEY>
  <KEY value="EXCLUDED_TARGET"><![CDATA[N/A]]></KEY>
  <KEY value="DURATION">02:14:41</KEY>
  <KEY value="SCAN_HOST">64.39.102.166 (Scanner 8.2.14-1, Vulnerability Signatures 2.3.292-3)</KEY>
  <KEY value="NBHOST_ALIVE">27</KEY>
  <KEY value="NBHOST_TOTAL">64</KEY>
  <KEY value="REPORT_TYPE">Scheduled</KEY>
  <KEY value="OPTIONS"><![CDATA[Full TCP scan, Standard Password Brute Forcing, parallel ML scaling disabled for appliances, Load balancer detection OFF, Overall Performance: High, Hosts to Scan in Parallel - External Scanners: 20, Hosts to Scan in Parallel - Scanner Appliances: 40, Total Processes to Run in Parallel: 15, HTTP Processes to Run in Parallel: 15, Packet (Burst) Delay: Short, Intensity: Normal]]></KEY>
  <KEY value="STATUS">FINISHED</KEY>
  <ASSET_GROUPS>
    <ASSET_GROUP>
      <ASSET_GROUP_TITLE><![CDATA[MYNAME]]></ASSET_GROUP_TITLE>
    </ASSET_GROUP>
  </ASSET_GROUPS>
  <OPTION_PROFILE>
    <OPTION_PROFILE_TITLE option_profile_default="0"><![CDATA[Payment Card Industry (PCI) Options]]></OPTION_PROFILE_TITLE>
  </OPTION_PROFILE>
</HEADER>

<IP value="10.10.10.11" name="reverse.domain.local">
  <OS><![CDATA[Cisco IOS XR]]></OS>
  <INFOS>
    <CAT value="Information gathering">
      <INFO number="6" severity="1">
        <TITLE><![CDATA[DNS Host Name]]></TITLE>
        <LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.]]></DIAGNOSIS>
        <RESULT format="table"><![CDATA[IP address  Host name
213.166.32.64   reverse.domain.local]]></RESULT>
      </INFO>
      <INFO number="45172" severity="1">
        <TITLE><![CDATA[Cisco IOS Installed on Target Host]]></TITLE>
        <LAST_UPDATE><![CDATA[2012-07-31T21:02:39Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[Cisco IOS installation was found on target host.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Cisco IOS XR]]></RESULT>
      </INFO>
      <INFO number="45039" severity="1">
        <TITLE><![CDATA[Host Names Found]]></TITLE>
        <LAST_UPDATE><![CDATA[2005-02-14T21:01:44Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT format="table"><![CDATA[Host Name   Source
reverse.domain.local    FQDN]]></RESULT>
      </INFO>
      <INFO number="45038" severity="1">
        <TITLE><![CDATA[Host Scan Time]]></TITLE>
        <LAST_UPDATE><![CDATA[2016-03-18T21:41:40Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. 
<P>
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
<P>
For host running the Qualys Windows agent this QID reports the time taken by the agent to collect the host metadata used for the most recent assessment scan.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Scan duration: 2042 seconds

Start time: Mon, Apr 25 2016, 22:09:04 GMT

End time: Mon, Apr 25 2016, 22:43:06 GMT]]></RESULT>
      </INFO>
    </CAT>
    <CAT value="TCP/IP">
      <INFO number="82046" severity="1">
        <TITLE><![CDATA[IP ID Values Randomness]]></TITLE>
        <LAST_UPDATE><![CDATA[2006-07-27T21:45:19Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The values for the identification (ID) field in IP headers in IP packets from the host are analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was conducted.
<P>
Please note that for reliability reasons only the network traffic from open TCP ports is analyzed.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[IP ID changes observed (network order) for port 646: 1 1 1 1 1 1 1 1 1 1 3 292 1048 1344 1488 1520 1536 1536 1552 1737 1928 3251 8924 9768 9769 29767 32131 33258 33258 
Duration: 33 milli seconds]]></RESULT>
      </INFO>
      <INFO number="82045" severity="1">
        <TITLE><![CDATA[Degree of Randomness of TCP Initial Sequence Numbers]]></TITLE>
        <LAST_UPDATE><![CDATA[2004-11-19T21:53:59Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Average change between subsequent TCP initial sequence numbers is 1050445810 with a standard deviation of 620675781. These TCP initial sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(5255 microseconds). The degree of difficulty to exploit the TCP initial sequence number generation scheme is: hard.]]></RESULT>
      </INFO>
    </CAT>
  </INFOS>
  <SERVICES>
    <CAT value="Information gathering">
      <SERVICE number="45017" severity="2">
        <TITLE><![CDATA[Operating System Detected]]></TITLE>
        <LAST_UPDATE><![CDATA[2016-04-22T18:42:30Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.
<P>
1) <B>TCP/IP Fingerprint</B>: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this &quot;fingerprinting&quot; technique, the OS version is among those listed below. 
<P>
Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that of the firewall instead of the host being scanned.
<P>
2) <B>NetBIOS</B>: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). 
<P>
3) <B>PHP Info</B>: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.
<P>
4) <B>SNMP</B>: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include &quot;MIB_II.system.sysDescr&quot; for the operating system.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[Not  applicable]]></CONSEQUENCE>
        <SOLUTION><![CDATA[Not  applicable]]></SOLUTION>
        <RESULT format="table"><![CDATA[Operating System    Technique   ID
Cisco IOS XR    TCP/IP Fingerprint  U4791:646]]></RESULT>
      </SERVICE>
    </CAT>
    <CAT value="Firewall">
      <SERVICE number="34011" severity="1">
        <TITLE><![CDATA[Firewall Detected]]></TITLE>
        <LAST_UPDATE><![CDATA[2001-10-16T22:36:36Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).]]></DIAGNOSIS>
        <RESULT><![CDATA[Listed below are the ports filtered by the firewall.
No response has been received when any of these ports are probed.
6,8,10,12,14,16,26,30,32,34,36,225-227,229-231,233-234,238-241,247-254,
266,268,270-277,279,283-288,291-300,304,306,313-316,319-321,326,328-338,
341-342,352-354,356-362,365-368,582-584,588-589,594-595,597,599,601-602,
605,621-623,625-626,628-630,638-641,643,645,648-653,655-662,664-665,675,
678-680,682-687,689-690,692,695-699,701-703,708,712,715-717,719-721,723-725,
727-728,733-739,743,745-746,755-757,766,768,778-779,784-785,787,789,791-792,
794,796,798,802-803,805-811,813-814,816-820,822,824-830,833,835-841,844-845,
847-851,853-857,861-864,868,870-872,874-877,880-885,889-890,894-899,902-904,
906-908,910,913-915,919-923,925-930,932-933,935-940,942, and more.
We have omitted from this list 48946 higher ports to keep the report size manageable.]]></RESULT>
      </SERVICE>
    </CAT>
    <CAT value="TCP/IP">
      <SERVICE number="82023" severity="1">
        <TITLE><![CDATA[Open TCP Services List]]></TITLE>
        <LAST_UPDATE><![CDATA[2009-06-15T18:32:21Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet.  The test was carried out with a &quot;stealth&quot; port scanner so that the server does not log real connections.
<P>
The Results section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected).]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[Unauthorized users can exploit this information to test vulnerabilities in each of the open services.]]></CONSEQUENCE>
        <SOLUTION><![CDATA[Shut down any unknown or unused service on the list.  If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team.  For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the <A HREF="http://www.cert.org" TARGET="_blank">CERT Web site</A>.]]></SOLUTION>
        <RESULT format="table"><![CDATA[Port    IANA Assigned Ports/Services    Description Service Detected    OS On Redirected Port
646 unknown unknown unknown]]></RESULT>
      </SERVICE>
    </CAT>
  </SERVICES>
</IP>
<IP value="10.10.10.12" name="reverse.domain.local">
  <OS><![CDATA[Cisco IOS XR]]></OS>
  <INFOS>
    <CAT value="Information gathering">
      <INFO number="6" severity="1">
        <TITLE><![CDATA[DNS Host Name]]></TITLE>
        <LAST_UPDATE><![CDATA[1999-01-01T08:00:00Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.]]></DIAGNOSIS>
        <RESULT format="table"><![CDATA[IP address  Host name
213.166.32.64   reverse.domain.local]]></RESULT>
      </INFO>
      <INFO number="45172" severity="1">
        <TITLE><![CDATA[Cisco IOS Installed on Target Host]]></TITLE>
        <LAST_UPDATE><![CDATA[2012-07-31T21:02:39Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[Cisco IOS installation was found on target host.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Cisco IOS XR]]></RESULT>
      </INFO>
      <INFO number="45039" severity="1">
        <TITLE><![CDATA[Host Names Found]]></TITLE>
        <LAST_UPDATE><![CDATA[2005-02-14T21:01:44Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The following host names were discovered for this computer using various methods such as DNS look up, NetBIOS query, and SQL server name query.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT format="table"><![CDATA[Host Name   Source
reverse.domain.local    FQDN]]></RESULT>
      </INFO>
      <INFO number="45038" severity="1">
        <TITLE><![CDATA[Host Scan Time]]></TITLE>
        <LAST_UPDATE><![CDATA[2016-03-18T21:41:40Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below. 
<P>
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
<P>
For host running the Qualys Windows agent this QID reports the time taken by the agent to collect the host metadata used for the most recent assessment scan.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Scan duration: 2042 seconds

Start time: Mon, Apr 25 2016, 22:09:04 GMT

End time: Mon, Apr 25 2016, 22:43:06 GMT]]></RESULT>
      </INFO>
    </CAT>
    <CAT value="TCP/IP">
      <INFO number="82046" severity="1">
        <TITLE><![CDATA[IP ID Values Randomness]]></TITLE>
        <LAST_UPDATE><![CDATA[2006-07-27T21:45:19Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The values for the identification (ID) field in IP headers in IP packets from the host are analyzed to determine how random they are. The changes between subsequent ID values for either the network byte ordering or the host byte ordering, whichever is smaller, are displayed in the RESULT section along with the duration taken to send the probes. When incremental values are used, as is the case for TCP/IP implementation in many operating systems, these changes reflect the network load of the host at the time this test was conducted.
<P>
Please note that for reliability reasons only the network traffic from open TCP ports is analyzed.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[IP ID changes observed (network order) for port 646: 1 1 1 1 1 1 1 1 1 1 3 292 1048 1344 1488 1520 1536 1536 1552 1737 1928 3251 8924 9768 9769 29767 32131 33258 33258 
Duration: 33 milli seconds]]></RESULT>
      </INFO>
      <INFO number="82045" severity="1">
        <TITLE><![CDATA[Degree of Randomness of TCP Initial Sequence Numbers]]></TITLE>
        <LAST_UPDATE><![CDATA[2004-11-19T21:53:59Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[TCP Initial Sequence Numbers (ISNs) obtained in the SYNACK replies from the host are analyzed to determine how random they are. The average change between subsequent ISNs and the standard deviation from the average are displayed in the RESULT section. Also included is the degree of difficulty for exploitation of the TCP ISN generation scheme used by the host.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[N/A]]></CONSEQUENCE>
        <SOLUTION><![CDATA[N/A]]></SOLUTION>
        <RESULT><![CDATA[Average change between subsequent TCP initial sequence numbers is 1050445810 with a standard deviation of 620675781. These TCP initial sequence numbers were triggered by TCP SYN probes sent to the host at an average rate of 1/(5255 microseconds). The degree of difficulty to exploit the TCP initial sequence number generation scheme is: hard.]]></RESULT>
      </INFO>
    </CAT>
  </INFOS>
  <SERVICES>
    <CAT value="Information gathering">
      <SERVICE number="45017" severity="2">
        <TITLE><![CDATA[Operating System Detected]]></TITLE>
        <LAST_UPDATE><![CDATA[2016-04-22T18:42:30Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.
<P>
1) <B>TCP/IP Fingerprint</B>: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this &quot;fingerprinting&quot; technique, the OS version is among those listed below. 
<P>
Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that of the firewall instead of the host being scanned.
<P>
2) <B>NetBIOS</B>: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). 
<P>
3) <B>PHP Info</B>: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.
<P>
4) <B>SNMP</B>: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include &quot;MIB_II.system.sysDescr&quot; for the operating system.]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[Not  applicable]]></CONSEQUENCE>
        <SOLUTION><![CDATA[Not  applicable]]></SOLUTION>
        <RESULT format="table"><![CDATA[Operating System    Technique   ID
Cisco IOS XR    TCP/IP Fingerprint  U4791:646]]></RESULT>
      </SERVICE>
    </CAT>
    <CAT value="Firewall">
      <SERVICE number="34011" severity="1">
        <TITLE><![CDATA[Firewall Detected]]></TITLE>
        <LAST_UPDATE><![CDATA[2001-10-16T22:36:36Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[A packet filtering device protecting this IP was detected. This is likely to be a firewall or a router using access control lists (ACLs).]]></DIAGNOSIS>
        <RESULT><![CDATA[Listed below are the ports filtered by the firewall.
No response has been received when any of these ports are probed.
6,8,10,12,14,16,26,30,32,34,36,225-227,229-231,233-234,238-241,247-254,
266,268,270-277,279,283-288,291-300,304,306,313-316,319-321,326,328-338,
341-342,352-354,356-362,365-368,582-584,588-589,594-595,597,599,601-602,
605,621-623,625-626,628-630,638-641,643,645,648-653,655-662,664-665,675,
678-680,682-687,689-690,692,695-699,701-703,708,712,715-717,719-721,723-725,
727-728,733-739,743,745-746,755-757,766,768,778-779,784-785,787,789,791-792,
794,796,798,802-803,805-811,813-814,816-820,822,824-830,833,835-841,844-845,
847-851,853-857,861-864,868,870-872,874-877,880-885,889-890,894-899,902-904,
906-908,910,913-915,919-923,925-930,932-933,935-940,942, and more.
We have omitted from this list 48946 higher ports to keep the report size manageable.]]></RESULT>
      </SERVICE>
    </CAT>
    <CAT value="TCP/IP">
      <SERVICE number="82023" severity="1">
        <TITLE><![CDATA[Open TCP Services List]]></TITLE>
        <LAST_UPDATE><![CDATA[2009-06-15T18:32:21Z]]></LAST_UPDATE>
        <PCI_FLAG>0</PCI_FLAG>
        <DIAGNOSIS><![CDATA[The port scanner enables unauthorized users with the appropriate tools to draw a map of all services on this host that can be accessed from the Internet.  The test was carried out with a &quot;stealth&quot; port scanner so that the server does not log real connections.
<P>
The Results section displays the port number (Port), the default service listening on the port (IANA Assigned Ports/Services), the description of the service (Description) and the service that the scanner detected using service discovery (Service Detected).]]></DIAGNOSIS>
        <CONSEQUENCE><![CDATA[Unauthorized users can exploit this information to test vulnerabilities in each of the open services.]]></CONSEQUENCE>
        <SOLUTION><![CDATA[Shut down any unknown or unused service on the list.  If you have difficulty figuring out which service is provided by which process or program, contact your provider's support team.  For more information about commercial and open-source Intrusion Detection Systems available for detecting port scanners of this kind, visit the <A HREF="http://www.cert.org" TARGET="_blank">CERT Web site</A>.]]></SOLUTION>
        <RESULT format="table"><![CDATA[Port    IANA Assigned Ports/Services    Description Service Detected    OS On Redirected Port
646 unknown unknown unknown]]></RESULT>
      </SERVICE>
    </CAT>
  </SERVICES>
</IP>
0 Karma

danje57
Path Finder

my inputs.conf file is

[monitor://root/1.xml]
disabled = 0
sourcetype = TESTXML3
host=TESTXML_HOST

my outputs.conf is

[tcpout-server://192.168.32.128:9997]

my props.conf is

[TESTXML3]
KV_MODE = xml
LINE_BREAKER = (<IP>)
MUST_BREAK_AFTER = \</IP\>
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRUNCATE = 0
puldown_type = 1
0 Karma

jkat54
SplunkTrust
SplunkTrust

Must break after doesn't apply when should linemerge is false.

Your original line breaker will break the xml into improper xml.

Use SHOULD_LINEMERGE=true and BREAK_ONLY_AFTER=<\IP>

Also kv_mode is a search time extraction and as such it needs to be in the app you're viewing the data in but the other settings (should line merge and break only after) should be on the indexer or forwarder where the data is being sourced.

0 Karma

jkat54
SplunkTrust
SplunkTrust

In props.conf you use INDEXED_EXTRACTIONS=xml and you put the props on the forwarder or just /etc/system/local if you're on a single instance.

Click on the props.conf link here/above/below for more details on configuring props.conf.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!