<div id="readability-page-1" class="page"><div id="post-body-7634218921962122888" itemprop="articleBody">
<p>xml 포맷을 갖는 <a href="https://kangmyounghun.blogspot.com/2021/01/sysmon-dns.html" target="_blank">sysmon 이벤트</a> 로그. 가장 중요한 EventData 계층은 동일한 Data 자식 계층이 반복되는 중첩 구조를 가지고 있다.&nbsp;</p><div><pre><code>&lt;Event&gt;
	&lt;System&gt;
		&lt;Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/&gt;
		&lt;EventID&gt;5&lt;/EventID&gt;
		&lt;Version&gt;3&lt;/Version&gt;
		&lt;Level&gt;4&lt;/Level&gt;
		&lt;Task&gt;5&lt;/Task&gt;
		&lt;Opcode&gt;0&lt;/Opcode&gt;
		&lt;Keywords&gt;0x8000000000000000&lt;/Keywords&gt;
		&lt;TimeCreated SystemTime="2026-01-04T18:12:34.451516000Z"/&gt;
<span><a name="more"></a></span>		&lt;EventRecordID&gt;8660&lt;/EventRecordID&gt;
		&lt;Correlation/&gt;
		&lt;Execution ProcessID="947" ThreadID="947"/&gt;
		&lt;Channel&gt;Linux-Sysmon/Operational&lt;/Channel&gt;
		&lt;Computer&gt;rocky&lt;/Computer&gt;
		&lt;Security UserId="0"/&gt;
	&lt;/System&gt;
	&lt;EventData&gt;
		&lt;Data Name="RuleName"&gt;-&lt;/Data&gt;
		&lt;Data Name="UtcTime"&gt;2026-01-04 18:12:34.454&lt;/Data&gt;
		&lt;Data Name="ProcessGuid"&gt;{00000000-0000-0000-0000-000000000000}&lt;/Data&gt;
		&lt;Data Name="ProcessId"&gt;2481&lt;/Data&gt;
		&lt;Data Name="Image"&gt;&amp;lt;unknown process&amp;gt;&lt;/Data&gt;
		&lt;Data Name="User"&gt;root&lt;/Data&gt;
	&lt;/EventData&gt;
&lt;/Event&gt;</code></pre></div>
<p>다음은&nbsp;<a href="https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.4/search-commands/xmlkv" target="_blank">xmlkv</a>&nbsp;명령어를 이용한 테이블 구조 변환 결과. 여러 개의 Data 계층이 하나의 필드로만 추출된다. 마지막 User 속성이 이전 속성을 덮어쓴 결과.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHCo0bubFZvDGfWdAjslIwt7hceBbChSeijUNkEasuhRkBw-TG1ZMyTqtPhyh3_0MkIre4Leus3kwJEdTsCYPeIwYjsekVtWiMki6UUcnvcbPtka_WXi-JRfTeXJr6q54Wxui09pfhgAKsj9FcBBR2v0KhaAfCaBVbpTKUjs2aLccwuTcY274Q_apdm00H/s804/xmlkv.png"><img data-original-height="720" data-original-width="804" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHCo0bubFZvDGfWdAjslIwt7hceBbChSeijUNkEasuhRkBw-TG1ZMyTqtPhyh3_0MkIre4Leus3kwJEdTsCYPeIwYjsekVtWiMki6UUcnvcbPtka_WXi-JRfTeXJr6q54Wxui09pfhgAKsj9FcBBR2v0KhaAfCaBVbpTKUjs2aLccwuTcY274Q_apdm00H/s16000/xmlkv.png"></a></p>
<p>이때 xml 계층 경로를 지정할 수 있는 <a href="https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.4/search-commands/xpath" target="_blank">xpath</a>를 사용하면 원하는 테이블 구조를 만들 수 있다.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0ZKIviPCwWpH4kWt571VmodA_akarsxsevp0sJWdPBg4a7z4Ynia_ril-yVHU1h4wTylCURVHQVFq9YxG45THkQgAsCnLACAzTYV2i9iBUsO8Bpa_Efx4KgNfhrWIZ-L6ngS7598fCbrpBfHBxfwgFx4KcrviYgHT7J1UEUAOM2B4j4OpEhsboizCWk_/s1024/xpath.png"><img data-original-height="625" data-original-width="1024" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj0ZKIviPCwWpH4kWt571VmodA_akarsxsevp0sJWdPBg4a7z4Ynia_ril-yVHU1h4wTylCURVHQVFq9YxG45THkQgAsCnLACAzTYV2i9iBUsO8Bpa_Efx4KgNfhrWIZ-L6ngS7598fCbrpBfHBxfwgFx4KcrviYgHT7J1UEUAOM2B4j4OpEhsboizCWk_/s16000/xpath.png"></a></p>
<p>json과 xml을 모두 지원하는 <a href="https://help.splunk.com/en/splunk-enterprise/search/spl-search-reference/9.4/search-commands/spath" target="_blank">spath</a>&nbsp;명령어를 사용할 수도 있는데,</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYvFikJ1Gzbam-j16sfikZTOfE-ygniYZb3qItSMq7ACGUtgUmEJb3vaRDBMsjJ1GmgzrLyBwzCRoLKCldaGM03Gd3C2m6eCg3DqGJnm_QiEA-SqlNSFFMYoHQb54SMh_W886ZRDst5OE3kZL-F4QcE5AhVRtIDnk41Hf1BxmU2wzlxNUleEobJs18MwjN/s1024/spath.png"><img data-original-height="720" data-original-width="1024" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYvFikJ1Gzbam-j16sfikZTOfE-ygniYZb3qItSMq7ACGUtgUmEJb3vaRDBMsjJ1GmgzrLyBwzCRoLKCldaGM03Gd3C2m6eCg3DqGJnm_QiEA-SqlNSFFMYoHQb54SMh_W886ZRDst5OE3kZL-F4QcE5AhVRtIDnk41Hf1BxmU2wzlxNUleEobJs18MwjN/s16000/spath.png"></a></p>
<p>대신 데이터가 xml 태그로만 이루어져 있어야 함.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN4jFJs_gRk2zqcpxjcLrZXlZuWm9e6mQKCWbx7J-WuG3N1Qx9885DhbygX2MUgSVDgmo1S3grSat6xZ9O4NeZ0K3T-Zf7_xA6R9bf3U6NLdCgOtBkcBQt-YsjcKrZfjtULvw2SS8s3OqPJGNmHBKfGyWtFXO1ywHvFfQr7YNKsbNXBFUxVSxp8QF_u56Q/s737/spath2.png"><img data-original-height="720" data-original-width="737" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgN4jFJs_gRk2zqcpxjcLrZXlZuWm9e6mQKCWbx7J-WuG3N1Qx9885DhbygX2MUgSVDgmo1S3grSat6xZ9O4NeZ0K3T-Zf7_xA6R9bf3U6NLdCgOtBkcBQt-YsjcKrZfjtULvw2SS8s3OqPJGNmHBKfGyWtFXO1ywHvFfQr7YNKsbNXBFUxVSxp8QF_u56Q/s16000/spath2.png"></a></p>
<p>경로 지정 구문도 좀 더 단순한 편.</p>
<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7X2EDjp2na2WXKHrSz8Cmdg02W4sti-abUhBOgCLLg0wbPfWHm2hw2dAscwmJCpu3L2PnPOTp8d9JmJfN2ESnN9WczlGqURYJCNraL5TUIfil_hKpll4orKrHe54HBMnU9R8QCpTz-c5csJMEQ8dMmgDtrjKsnb5PmzJ11OBon0BYp4YmnqFCfyITlAGG/s1134/spath3.png"><img data-original-height="720" data-original-width="1134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7X2EDjp2na2WXKHrSz8Cmdg02W4sti-abUhBOgCLLg0wbPfWHm2hw2dAscwmJCpu3L2PnPOTp8d9JmJfN2ESnN9WczlGqURYJCNraL5TUIfil_hKpll4orKrHe54HBMnU9R8QCpTz-c5csJMEQ8dMmgDtrjKsnb5PmzJ11OBon0BYp4YmnqFCfyITlAGG/s16000/spath3.png"></a></p>

<p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2X8vqBoUd2sMdzBk7QjemrbJLkxvNlxb73M728T5L4N7Ucz8Ei1G5EjdLSOK2nSnc3i7sfMVeJWDSDjOCdiqFLq6h1YjP3munZXpZFeko2KGnacsWAGreocU9xvbJXpADjCu3zgcCzMBUBH63Eq5S7D3OPbC5xC0HV4BMX28MkujWFV8fapqVib28TiH-/s1134/spath4.png"><img data-original-height="720" data-original-width="1134" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2X8vqBoUd2sMdzBk7QjemrbJLkxvNlxb73M728T5L4N7Ucz8Ei1G5EjdLSOK2nSnc3i7sfMVeJWDSDjOCdiqFLq6h1YjP3munZXpZFeko2KGnacsWAGreocU9xvbJXpADjCu3zgcCzMBUBH63Eq5S7D3OPbC5xC0HV4BMX28MkujWFV8fapqVib28TiH-/s16000/spath4.png"></a></p>
<br>

</div></div>

케세라세라

xml 포맷을 갖는 sysmon 이벤트 로그. 가장 중요한 EventData 계층은 동일한 Data 자식 계층이 반복되는 중첩 구조를 가지고 있다. 
<Event>
	<System>
		<Provider Name="Linux-Sysmon" Guid="{ff032593-a8d3-4f13-b0d6-01fc615a0f97}"/>
		<EventID>5</EventID>
		<Version>3</Version>
		<Level>4</Level>
		<Task>5</Task>
		<Opcode>0</Opcode>
		<Keywords>0x8000000000000000</Keywords>
		<TimeCreated SystemTime="2026-01-04T18:12:34.451516000Z"/>
		<EventRecordID>8660</EventRecordID>
		<Correlation/>
		<Execution ProcessID="947" ThreadID="947"/>
		<Channel>Linux-Sysmon/Operational</Channel>
		<Computer>rocky</Computer>
		<Security UserId="0"/>
	</System>
	<EventData>
		<Data Name="RuleName">-</Data>
		<Data Name="UtcTime">2026-01-04 18:12:34.454</Data>
		<Data Name="ProcessGuid">{00000000-0000-0000-0000-000000000000}</Data>
		<Data Name="ProcessId">2481</Data>
		<Data Name="Image">&lt;unknown process&gt;</Data>
		<Data Name="User">root</Data>
	</EventData>
</Event>
다음은 xmlkv 명령어를 이용한 테이블 구조 변환 결과. 여러 개의 Data 계층이 하나의 필드로만 추출된다. 마지막 User 속성이 이전 속성을 덮어쓴 결과.
이때 xml 계층 경로를 지정할 수 있는 xpath를 사용하면 원하는 테이블 구조를 만들 수 있다.
json과 xml을 모두 지원하는 spath 명령어를 사용할 수도 있는데,
대신 데이터가 xml 태그로만 이루어져 있어야 함.
경로 지정 구문도 좀 더 단순한 편.
eval 명령어 함수로도 사용 가능.
관련 글
xpath를 이용한 이벤트 로그 필터링
Logstash 필터 xml

Splunk의 xml 처리

댓글