[Winlogbeat] Ignore non-compliant event version values #15838

andrewkroh · 2020-01-24T20:37:22Z

The XML schema for Windows event logs defines the Version as an unsignedByte (reference). It contains the version number of the event's definition.

<xs:element name="Version"
    type="unsignedByte"
/>

Events containing Version values that are not uint8 will cause the XML parser to return an error. This results in an event from Winlogbeat with an error.message an not much usable data.

{
  "@metadata": {
    "beat": "winlogbeat",
    "type": "_doc",
    "version": "8.0.0"
  },
  "@timestamp": "0001-01-01T00:00:00.000Z",
  "agent": {
    "ephemeral_id": "df2506e7-02ed-483d-ad29-71ce21c33568",
    "hostname": "vagrant",
    "id": "29845c4d-9a56-426f-b12f-7c930602301b",
    "type": "winlogbeat",
    "version": "8.0.0"
  },
  "ecs": {
    "version": "1.4.0"
  },
  "error": {
    "message": "strconv.ParseUint: parsing \"101.3\": invalid syntax"
  },
  "event": {
    "code": 4656,
    "created": "2020-01-24T20:31:06.581Z",
    "kind": "event",
    "original": "<Event xmlns='http://schemas.netapp.com/events/event'><System><Provider Name='NetApp-Security-Auditing' Guid='{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}'/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime='2019-03-26T23:27:07.015494000Z'/><Correlation/><Channel>Security</Channel><Computer>anvil/vs-anvil</Computer><ComputerUUID>b5552ea8-5ae2-11e6-b524-00a098a5d936/91f499cd-5cfe-11e6-b525-00a098a5d936</ComputerUUID><Security/></System><EventData><Data Name='SubjectIP' IPVersion='4'>192.168.1.2</Data><Data Name='SubjectHostname' Source=''></Data><Data Name='SubjectUnix' Uid='65534' Gid='65534' Local='false'/><Data Name='SubjectUserSid'>S-1-5-21-2770437333-1905433116-4256127273-1282</Data><Data Name='SubjectUserIsLocal'>false</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectUserName'>john.doe</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='HandleID'>00000000000000;00;00000000;00000000</Data><Data Name='ObjectName'>(workshop_fg);/path/09.jpg</Data><Data Name='AccessList'>%%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 %%1538 </Data><Data Name='AccessMask'>8607</Data><Data Name='DesiredAccess'>Read Data; List Directory; Write Data; Add File; Append Data; Add Subdirectory; Read Extended Attributes; Write Extended Attributes; Read Attributes; Write Attributes; Read ACL; </Data><Data Name='Attributes'>Set Attributes; Create; Open a non-directory; </Data></EventData></Event>",
    "provider": "NetApp-Security-Auditing"
  },
  "host": {
    "name": "vagrant"
  },
  "log": {
    "file": {
      "path": "C:\\vagrant\\winlogbeat\\sys\\wineventlog\\testdata\\netapp-example.evtx"
    },
    "level": "information"
  },
  "winlog": {
    "api": "wineventlog",
    "channel": "",
    "event_id": 4656,
    "provider_guid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
    "provider_name": "NetApp-Security-Auditing",
    "record_id": 0,
    "task": ""
  }
}

I propose we make the parsing of Version more lenient and simply drop values that are non in the uint8 range. We cannot change the type of winlog.version, which is long in Elasticsearch, without a breaking change.

The text was updated successfully, but these errors were encountered:

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes elastic#15838

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes #15838

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes elastic#15838 (cherry picked from commit 33f7112)

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes #15838 (cherry picked from commit 33f7112)

Fix for #15838 has first arrived in 7.6.1, not 7.5.0. Verification: v7.6.0...v7.6.1

Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1

* Add 7.7.1 changelog * Fix 15838 issue placement in CHANGELOG (#19105) Fix for #15838 has first arrived in 7.6.1, not 7.5.0. Verification: v7.6.0...v7.6.1 * Add relnotes link Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co>

* Add 7.7.1 changelog * Fix 15838 issue placement in CHANGELOG (elastic#19105) Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1 * Add relnotes link Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co>

* Add 7.7.1 changelog * Fix 15838 issue placement in CHANGELOG (#19105) Fix for #15838 has first arrived in 7.6.1, not 7.5.0. Verification: v7.6.0...v7.6.1 * Add relnotes link Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co> Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co>

Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1

* Add 7.7.1 changelog * Fix 15838 issue placement in CHANGELOG (elastic#19105) Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1 * Add relnotes link Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co> Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co>

* Add 7.7.1 changelog * Fix 15838 issue placement in CHANGELOG (elastic#19105) Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1 * Add relnotes link Co-authored-by: Grzegorz Banasiak <grzegorz.banasiak@elastic.co>

andrewkroh added the Winlogbeat label Jan 24, 2020

andrewkroh added a commit to andrewkroh/beats that referenced this issue Jan 24, 2020

Ignore non-conforming windows event version numbers

50e2a38

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes elastic#15838

andrewkroh mentioned this issue Jan 24, 2020

Ignore non-conforming windows event version numbers #15839

Merged

andrewkroh closed this as completed in #15839 Jan 25, 2020

andrewkroh added a commit that referenced this issue Jan 25, 2020

Ignore non-conforming windows event version numbers (#15839)

33f7112

This causes the XML parser to ignore Version values that are not unsignedByte values (as defined in the schema). Closes #15838

andrewkroh mentioned this issue Jan 27, 2020

Cherry-pick #15839 to 7.x: Ignore non-conforming windows event version numbers #15860

Merged

andrewkroh mentioned this issue Jan 27, 2020

Cherry-pick #15839 to 7.6: Ignore non-conforming windows event version numbers #15861

Merged

gbanasiak added a commit that referenced this issue Jun 10, 2020

Fix 15838 issue placement in CHANGELOG

2866f82

Fix for #15838 has first arrived in 7.6.1, not 7.5.0. Verification: v7.6.0...v7.6.1

gbanasiak mentioned this issue Jun 10, 2020

Fix 15838 issue placement in CHANGELOG #19105

Merged

andrewkroh pushed a commit that referenced this issue Aug 10, 2020

Fix 15838 issue placement in CHANGELOG (#19105)

2c32411

Fix for #15838 has first arrived in 7.6.1, not 7.5.0. Verification: v7.6.0...v7.6.1

dedemorton pushed a commit to dedemorton/beats that referenced this issue Oct 16, 2020

Fix 15838 issue placement in CHANGELOG (elastic#19105)

ffadc7a

Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1

dedemorton pushed a commit to dedemorton/beats that referenced this issue Oct 16, 2020

Fix 15838 issue placement in CHANGELOG (elastic#19105)

cc6aece

Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1

leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023

Fix 15838 issue placement in CHANGELOG (elastic#19105)

e1900af

Fix for elastic#15838 has first arrived in 7.6.1, not 7.5.0. Verification: elastic/beats@v7.6.0...v7.6.1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Winlogbeat] Ignore non-compliant event version values #15838

[Winlogbeat] Ignore non-compliant event version values #15838

andrewkroh commented Jan 24, 2020

[Winlogbeat] Ignore non-compliant event version values #15838

[Winlogbeat] Ignore non-compliant event version values #15838

Comments

andrewkroh commented Jan 24, 2020