Skip to content

Commit

Permalink
Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Browse files Browse the repository at this point in the history
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
  • Loading branch information
adriansr committed Mar 21, 2019
1 parent 79800ae commit ea6b328
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 15 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ https://github.com/elastic/beats/compare/v6.6.0...6.x[Check the HEAD diff]
*Winlogbeat*

- Prevent Winlogbeat from dropping events with invalid XML. {pull}11006{11006}
- Fix Winlogbeat escaping CR, LF and TAB characters. {issue}11328[11328] {pull}11357[11357]

*Functionbeat*

Expand Down
21 changes: 7 additions & 14 deletions winlogbeat/sys/event_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ import (
"encoding/json"
"encoding/xml"
"fmt"
"strings"
"testing"
"time"

Expand Down Expand Up @@ -168,21 +169,13 @@ func TestXML(t *testing.T) {
}
}

// Tests that control characters other than CR and LF are escaped
// when the event is decoded.
func TestInvalidXML(t *testing.T) {
eventXML := fmt.Sprintf(`
<Event>
<UserData>
<Operation_ClientFailure xmlns='http://manifests.microsoft.com/win/2006/windows/WMI'>
<Id>{00000000-0000-0000-0000-000000000000}</Id>
<Message>じゃあ宇宙カウボーイ。。。%s</Message>
</Operation_ClientFailure>
</UserData>
</Event>
`, "\x1b")
_, err := UnmarshalEventXML([]byte(eventXML))
if !assert.NoError(t, err) {
assert.Equal(t, err.Error(), "XML syntax error on line 6: illegal character code U+001B")
}
evXML := strings.Replace(allXML, "%1", "\t&#xD;\n\x1b", -1)
ev, err := UnmarshalEventXML([]byte(evXML))
assert.Equal(t, nil, err)
assert.Equal(t, "Creating WSMan shell on server with ResourceUri: \t\r\n\\u001b", ev.Message)
}

func BenchmarkXMLUnmarshal(b *testing.B) {
Expand Down
2 changes: 1 addition & 1 deletion winlogbeat/sys/xmlreader.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func (r *xmlSafeReader) Read(d []byte) (n int, err error) {
}
for i := 0; i < len(r.buf); {
code, size := utf8.DecodeRune(r.buf[i:])
if unicode.IsControl(code) {
if !unicode.IsSpace(code) && unicode.IsControl(code) {
n = copy(d, r.buf[:i])
r.buf = r.buf[n+1:]
r.code = []byte(fmt.Sprintf("\\u%04x", code))
Expand Down
24 changes: 24 additions & 0 deletions winlogbeat/tests/system/test_eventlogging.py
Original file line number Diff line number Diff line change
Expand Up @@ -232,3 +232,27 @@ def test_processors(self):
evts = self.read_events(config)
self.assertTrue(len(evts), 1)
self.assertNotIn("message", evts[0])

def test_multiline_events(self):
"""
eventlogging - Event with newlines and control characters
"""
msg = """
A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Subject:
Security ID: SYSTEM
Account Name: MS4\x1e$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Process Name: IKE"""
self.write_event_log(msg)
evts = self.read_events()
self.assertTrue(len(evts), 1)
self.assertEqual(unicode(self.api), evts[0]["winlog.api"], evts[0])
self.assertNotIn("event.original", evts[0], msg=evts[0])
self.assertIn("message", evts[0], msg=evts[0])
self.assertNotIn("\\u000a", evts[0]["message"], msg=evts[0])
self.assertEqual(unicode(msg), evts[0]["message"].decode('unicode-escape'), msg=evts[0])
24 changes: 24 additions & 0 deletions winlogbeat/tests/system/test_wineventlog.py
Original file line number Diff line number Diff line change
Expand Up @@ -376,3 +376,27 @@ def test_processors(self):
evts = self.read_events(config)
self.assertTrue(len(evts), 1)
self.assertNotIn("message", evts[0])

def test_multiline_events(self):
"""
wineventlog - Event with newlines and control characters
"""
msg = """
A trusted logon process has been registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.
Subject:
Security ID: SYSTEM
Account Name: MS4\x1e$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon Process Name: IKE"""
self.write_event_log(msg)
evts = self.read_events()
self.assertTrue(len(evts), 1)
self.assertEqual(unicode(self.api), evts[0]["winlog.api"], msg=evts[0])
self.assertNotIn("event.original", evts[0], msg=evts[0])
self.assertIn("message", evts[0], msg=evts[0])
self.assertNotIn("\\u000a", evts[0]["message"], msg=evts[0])
self.assertEqual(unicode(msg), evts[0]["message"].decode('unicode-escape'), msg=evts[0])

0 comments on commit ea6b328

Please sign in to comment.