[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal #18432
Description
- Version: 7.6.2
- Operating System: Windows 10
- Discuss Forum URL:
- Steps to Reproduce: Execute a DNS query that returns a lot of IP addresses:
Sysmon appears to generate DNS Query logs that get truncated after a certain amount of characters which could leave the QueryResults with an invalid IP address.
This is the error:
elasticsearch �TCould not index event to Elasticsearch. status: 400, action: ["index", {:_id=>nil, :_index=>"winlogbeat-7.6.2", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x6f1f9792>], response: {"index"=>{"_index"=>"winlogbeat-7.6.2-2020.05.10-000007", "_type"=>"_doc", "_id"=>"vlSpBXIB44A-TpNhvsA_", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.resolved_ip] of type [ip] in document with id 'vlSpBXIB44A-TpNhvsA_'. Preview of field's value: '52'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'52' is not an IP string literal."}}}}
This is what the Windows Event Log looks like:
Dns query:
RuleName:
UtcTime: 2020-05-11 21:33:09.760
ProcessGuid: {d83d2700-d8c3-5e9d-0100-001020175589}
ProcessId: 123972
QueryName: f4ec9d98b5294fe5b1bace95454f00b7.nrb.footprintdns.com
QueryStatus: 0
QueryResults: type: 5 lyh-efz.office.com;::ffff:40.97.30.130;::ffff:40.97.152.34;::ffff:52.96.43.162;::ffff:40.97.168.114;::ffff:40.97.152.2;::ffff:40.97.154.242;::ffff:40.97.170.2;::ffff:40.97.153.146;::ffff:40.97.126.210;::ffff:52.96.29.82;::ffff:40.97.126.178;::ffff:40.97.24.2;::ffff:40.97.170.194;::ffff:40.97.126.194;::ffff:40.97.124.226;::ffff:40.97.124.194;::ffff:40.97.30.162;::ffff:40.97.124.34;::ffff:40.97.29.50;::ffff:40.97.124.210;::ffff:40.97.28.98;::ffff:40.97.154.82;::ffff:40.97.170.178;::ffff:40.97.170.162;::ffff:40.96.32.34;::ffff:40.97.154.226;::ffff:40.97.169.242;::ffff:40.97.171.98;::ffff:40.97.169.146;::ffff:40.97.100.2;::ffff:40.97.169.162;::ffff:40.97.152.82;::ffff:40.97.155.194;::ffff:52.96.54.210;::ffff:52.96.40.114;::ffff:40.97.171.114;::ffff:52.96.37.210;::ffff:40.97.168.98;::ffff:40.97.154.66;::ffff:40.97.28.82;::ffff:40.97.28.114;::ffff:40.97.24.18;::ffff:40.97.228.178;::ffff:40.97.155.178;::ffff:40.97.31.50;::ffff:52.96.37.34;::ffff:40.97.124.18;::ffff:40.97.24.50;::ffff:40.97.230.178;::ffff:52
Here is a link to the discussion post I started in regards to what to expect of Sysmon:
https://social.technet.microsoft.com/Forums/en-US/27010f2b-61c4-4051-a1d7-9cf681c87d7f/sysmon-dns-query-results-are-truncated?forum=windowsinternals