I have been working with a product that, out-of-box, outputs a “raw” XML syslog in a proprietary (but simple) XML format and we are needing to transform some of the information in some of the messages.
That product supports the ability to configure transforming the “raw” XML into formats that are customized for SIEM products like Splunk and ArcSight using a single XSLT:
Product ==> “raw” XML syslog output ==> ==> SIEM (e.g., ArcSight, Splunk, etc.)
Now, we have a requirement to modify ONE of the XML elements in some of the raw syslog messages, before the messages get transformed by the “SIEM-specific” XSLT. So we want to be able to have a flow like:
Product ==> “raw” XML syslog output ==> transformed by ==> transformed by ==> SIEM (e.g., ArcSight, Splunk, etc.)
I have been working on the “” and was posting on one of the XSLT mailing lists, and in one of the responses I got, someone mentioned about possibly using/leveraging XProc to provide the “XSLT chaining”, so I have been doing some reading but still have some questions about XProc…
a) Because we are dealing with an existing product as the source of the syslog XML, and because we need to leverage the XSLT processor that is built into the product, which appears to use XALAN-C v1, we are, unfortunately, limited to using XSLT 1.0.
Is this going to prevent us from using XProc?
b) Also, I have been doing the XSLT development on a CENTOS system, and testing my XSLT using xsltproc, and then, after I get it working with xsltproc, I then test the XSLT with the product itself.
As part of the XSLT development process, and the discussions on the XSLT mailing list, I have confirmed that the XSLT engine that the product uses is XALAN-C, and also that the exslt:set-node() function is available and working in both xsltproc and in the product itself.
My original intention was to try to implement the XSLT chaining in our XSLT code, but after doing some research about what would be involved, it seemed like we would essentially have to kind of replicate some of the functionality that is already provided by XProc, so I want to attempt to use XProc for our work, and I want to try to get the XSLT chaining working with XProc, together with our XSLT plus the XSLT provided by the product vendor for the SIEM.
I am posting the above information, but I also wanted to check, given the limitations that we have (e.g., limited to XSLT 1.0), are there any gotchas as far as using XProc to do what I described, in our case?
c) Also, I’ve seen some mention about Java… Assuming that the product we are working with supports XSLT 1.0 including set-node(), is Java also going to be needed in order to use XProc on the product?
I would be interested in any feedback and thanks in advance!