I am having issues configuring Splunk to Index NetApp CIFS logs in XML format.
Here is an example of 3 events:
<Events xmlns="http://www.netapp.com/schemas/ONTAP/2007/AuditLog">
<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2016-03-24T17:00:18.275811000Z"/><Correlation/><Channel>Security</Channel><Computer>4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b6</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">10.10.10.10</Data><Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"></Data><Data Name="SubjectUserSid">S-9-9-99-9999999999-999999999-9999999999-9999</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">DOMAIN</Data><Data Name="SubjectUserName">admin</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">0000000000041f;00;00000040;5e1fd3f6</Data><Data Name="ObjectName">(name);/</Data><Data Name="AccessList">%%4423 %%1541 </Data><Data Name="AccessMask">10080</Data><Data Name="DesiredAccess">Read Attributes; Synchronize; </Data><Data Name="Attributes">Open a directory; </Data></EventData></Event>
<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2016-03-24T17:00:18.276812000Z"/><Correlation/><Channel>Security</Channel><Computer>4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b6</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">10.10.10.10</Data><Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"></Data><Data Name="SubjectUserSid">S-9-9-99-9999999999-999999999-9999999999-9999</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">DOMAIN</Data><Data Name="SubjectUserName">admin</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">0000000000041f;00;00000040;5e1fd3f6</Data><Data Name="ObjectName">(name);/</Data><Data Name="AccessList">%%4423 %%1541 </Data><Data Name="AccessMask">10080</Data><Data Name="DesiredAccess">Read Attributes; Synchronize; </Data><Data Name="Attributes"></Data></EventData></Event>
<Event><System><Provider Name="Netapp-Security-Auditing"/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime="2016-03-24T17:00:18.561808000Z"/><Correlation/><Channel>Security</Channel><Computer>4cf616e5-deec-11e5-9347-00a0988f86b6/e64ece12-df28-11e5-9348-00a0988f86b6</Computer><Security/></System><EventData><Data Name="SubjectIP" IPVersion="4">10.10.10.10</Data><Data Name="SubjectUnix" Uid="0" Gid="1" Local="false"></Data><Data Name="SubjectUserSid">S-9-9-99-9999999999-999999999-9999999999-9999</Data><Data Name="SubjectUserIsLocal">false</Data><Data Name="SubjectDomainName">DOMAIN</Data><Data Name="SubjectUserName">admin</Data><Data Name="ObjectServer">Security</Data><Data Name="ObjectType">Directory</Data><Data Name="HandleID">0000000000041f;00;00000040;5e1fd3f6</Data><Data Name="ObjectName">(name);/</Data><Data Name="AccessList">%%4423 %%1541 </Data><Data Name="AccessMask">10080</Data><Data Name="DesiredAccess">Read Attributes; Synchronize; </Data><Data Name="Attributes">Open a directory; </Data></EventData></Event>
I've attempted to create a props.conf with KV_MODE = xml, but haven't had any success yet.
Any assistance would be appreciated.
Thanks.
... View more