Fix Winlogbeat escaping CRLF sequences

Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters which are expected in Windows event logs. Fixes elastic#11328
adriansr · Mar 21, 2019 · aeea9c4 · aeea9c4
1 parent 5b6cedb
commit aeea9c4
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 15 deletions.
diff --git a/winlogbeat/sys/event_test.go b/winlogbeat/sys/event_test.go
@@ -21,6 +21,7 @@ import (
  "encoding/json"
  "encoding/xml"
  "fmt"
+ "strings"
  "testing"
  "time"
 
@@ -168,21 +169,13 @@ func TestXML(t *testing.T) {
  }
 }
 
+// Tests that control characters other than CR and LF are escaped
+// when the event is decoded.
 func TestInvalidXML(t *testing.T) {
- eventXML := fmt.Sprintf(`
-<Event>
- <UserData>
- <Operation_ClientFailure xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'>
- <Id>{00000000-0000-0000-0000-000000000000}</Id>
- <Message>じゃあ宇宙カウボーイ。。。%s</Message>
- </Operation_ClientFailure>
- </UserData>
-</Event>
-`, "\x1b")
- _, err := UnmarshalEventXML([]byte(eventXML))
- if !assert.NoError(t, err) {
- assert.Equal(t, err.Error(), "XML syntax error on line 6: illegal character code U+001B")
- }
+ evXML := strings.Replace(allXML, "%1", "&#xD;\n\x1b", -1)
+ ev, err := UnmarshalEventXML([]byte(evXML))
+ assert.Equal(t, nil, err)
+ assert.Equal(t, "Creating WSMan shell on server with ResourceUri: \r\n\\u001b", ev.Message)
 }
 
 func BenchmarkXMLUnmarshal(b *testing.B) {

diff --git a/winlogbeat/sys/xmlreader.go b/winlogbeat/sys/xmlreader.go
@@ -58,7 +58,7 @@ func (r *xmlSafeReader) Read(d []byte) (n int, err error) {
  }
  for i := 0; i < len(r.buf); {
  code, size := utf8.DecodeRune(r.buf[i:])
- if unicode.IsControl(code) {
+ if !unicode.IsSpace(code) && unicode.IsControl(code) {
  n = copy(d, r.buf[:i])
  r.buf = r.buf[n+1:]
  r.code = []byte(fmt.Sprintf("\\u%04x", code))

diff --git a/winlogbeat/tests/system/test_eventlogging.py b/winlogbeat/tests/system/test_eventlogging.py
@@ -234,3 +234,27 @@ def test_processors(self):
  evts = self.read_events(config)
  self.assertTrue(len(evts), 1)
  self.assertNotIn("message", evts[0])
+
+ def test_multiline_events(self):
+ """
+ eventlogging - Event with newlines and control characters
+ """
+ msg = """
+A trusted logon process has been registered with the Local Security Authority.
+This logon process will be trusted to submit logon requests.
+
+Subject:
+
+Security ID: SYSTEM
+Account Name: MS4\x1e$
+Account Domain: WORKGROUP
+Logon ID: 0x3e7
+Logon Process Name: IKE"""
+ self.write_event_log(msg)
+ evts = self.read_events()
+ self.assertTrue(len(evts), 1)
+ self.assertEqual(unicode(self.api), evts[0]["winlog.api"], evts[0])
+ self.assertNotIn("event.original", evts[0], evts[0])
+ self.assertIn("message", evts[0], evts[0])
+ self.assertNotIn("\\u000a", evts[0]["message"])
+ self.assertEqual(unicode(msg), evts[0]["message"].decode('unicode-escape'), evts[0])
diff --git a/winlogbeat/tests/system/test_wineventlog.py b/winlogbeat/tests/system/test_wineventlog.py
@@ -388,3 +388,27 @@ def test_processors(self):
  evts = self.read_events(config)
  self.assertTrue(len(evts), 1)
  self.assertNotIn("message", evts[0])
+
+ def test_multiline_events(self):
+ """
+ wineventlog - Event with newlines and control characters
+ """
+ msg = """
+A trusted logon process has been registered with the Local Security Authority.
+This logon process will be trusted to submit logon requests.
+
+Subject:
+
+Security ID: SYSTEM
+Account Name: MS4\x1e$
+Account Domain: WORKGROUP
+Logon ID: 0x3e7
+Logon Process Name: IKE"""
+ self.write_event_log(msg)
+ evts = self.read_events()
+ self.assertTrue(len(evts), 1)
+ self.assertEqual(unicode(self.api), evts[0]["winlog.api"], evts[0])
+ self.assertNotIn("event.original", evts[0], evts[0])
+ self.assertIn("message", evts[0], evts[0])
+ self.assertNotIn("\\u000a", evts[0]["message"])
+ self.assertEqual(unicode(msg), evts[0]["message"].decode('unicode-escape'), evts[0])