- From: ohaya <ohaya@yahoo.com>
- Date: Thu, 8 Aug 2024 15:13:29 +0000 (UTC)
- To: "xproc-dev@w3.org" <xproc-dev@w3.org>
- Cc: "ohaya@yahoo.com" <ohaya@yahoo.com>
- Message-ID: <1053884463.2819691.1723130009041@mail.yahoo.com>
Hi, I have been working with a product that outputs an XML syslog and we are needing to transform some of the information in some of the messages. That product supports conversion of the "raw" XML into formats (some formats are XML, some are text) that are customized for SIEM products like Splunk and ArcSight using XSLT: Product ==> "raw" XML syslog output ==> <SIEM-specific XSLT> ==> SIEM (e.g., ArcSight, Splunk, etc.) However, we have a requirement to modify one of the XML elements in some of the syslog messages, so we want to support a flow like: Product ==> "raw" XML syslog output ==> <our XSLT> ==> <SIEM-specific XSLT> ==> SIEM (e.g., ArcSight, Splunk, etc.) I have been working on the "<our XSLT>" and was posting about what I am doing on the Mulberry XSLT mailing list, and in one of the responses I got, they mentioned about possibly using/leveraging XProc to provide the "XSLT chaining", so I have been doing some reading and then just signed up for this mailing list to discuss how I can accomplish the above... Because we are dealing with an existing product as the source of the syslog XML, and because we need to leverage the XSLT processor that is built into the product, we are, unfortunately, limited to using XSLT 1.0. Also, I have been doing the XSLT development on a CENTOS system, and testing my XSLT using xsltproc, and then, after I get it working with xsltproc, I then test with the product itself. As part of the XSLT development process, and the discussions on the XSLT mailing list, I have confirmed that the XSLT engine that the product uses is XALAN-C, and also that the exslt:set-node() function is working. Also, to be completely transparent, my original intention was to try to implement the XSLT chaining in our code, but after doing some research about what would be involved, it seemed like we would essentially have to kind of replicate some of the functionality that is already provided by XProc, so I want to attempt to use XProc for our work. However, our environment is such that I have to go through a process to be allowed to use "outside" software, including open-source, so I've requested approval, but still am awaiting response, but meanwhile, I wanted to try to get the XSLT chaining working with XProc, together with our XSLT plus the XSLT provided by the product vendor for the SIEM. I am posting the above information, but I also wanted to check, given the limitations that we have (e.g., limited to XSLT 1.0), are there any gotchas as far as using XProc to do what I described, in our case? I would be interested in any feedback and thanks in advance! Jim
Received on Friday, 9 August 2024 08:15:27 UTC