Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal #18432

Closed
nicpenning opened this issue May 11, 2020 · 3 comments · Fixed by #18436
Closed

[Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal #18432

nicpenning opened this issue May 11, 2020 · 3 comments · Fixed by #18436
Labels
bug Winlogbeat

Comments

@nicpenning
Copy link
Contributor

nicpenning commented May 11, 2020
edited by andrewkroh
Loading

  • Version: 7.6.2
  • Operating System: Windows 10
  • Discuss Forum URL:
  • Steps to Reproduce: Execute a DNS query that returns a lot of IP addresses:

Sysmon appears to generate DNS Query logs that get truncated after a certain amount of characters which could leave the QueryResults with an invalid IP address.

This is the error:

elasticsearch �TCould not index event to Elasticsearch. status: 400, action: ["index", {:_id=>nil, :_index=>"winlogbeat-7.6.2", :routing=>nil, :_type=>"_doc"}, #<LogStash::Event:0x6f1f9792>], response: {"index"=>{"_index"=>"winlogbeat-7.6.2-2020.05.10-000007", "_type"=>"_doc", "_id"=>"vlSpBXIB44A-TpNhvsA_", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [dns.resolved_ip] of type [ip] in document with id 'vlSpBXIB44A-TpNhvsA_'. Preview of field's value: '52'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"'52' is not an IP string literal."}}}}

This is what the Windows Event Log looks like:

Dns query:
 RuleName:
 UtcTime: 2020-05-11 21:33:09.760
 ProcessGuid: {d83d2700-d8c3-5e9d-0100-001020175589}
 ProcessId: 123972
 QueryName: f4ec9d98b5294fe5b1bace95454f00b7.nrb.footprintdns.com
 QueryStatus: 0
 QueryResults: type: 5 lyh-efz.office.com;::ffff:40.97.30.130;::ffff:40.97.152.34;::ffff:52.96.43.162;::ffff:40.97.168.114;::ffff:40.97.152.2;::ffff:40.97.154.242;::ffff:40.97.170.2;::ffff:40.97.153.146;::ffff:40.97.126.210;::ffff:52.96.29.82;::ffff:40.97.126.178;::ffff:40.97.24.2;::ffff:40.97.170.194;::ffff:40.97.126.194;::ffff:40.97.124.226;::ffff:40.97.124.194;::ffff:40.97.30.162;::ffff:40.97.124.34;::ffff:40.97.29.50;::ffff:40.97.124.210;::ffff:40.97.28.98;::ffff:40.97.154.82;::ffff:40.97.170.178;::ffff:40.97.170.162;::ffff:40.96.32.34;::ffff:40.97.154.226;::ffff:40.97.169.242;::ffff:40.97.171.98;::ffff:40.97.169.146;::ffff:40.97.100.2;::ffff:40.97.169.162;::ffff:40.97.152.82;::ffff:40.97.155.194;::ffff:52.96.54.210;::ffff:52.96.40.114;::ffff:40.97.171.114;::ffff:52.96.37.210;::ffff:40.97.168.98;::ffff:40.97.154.66;::ffff:40.97.28.82;::ffff:40.97.28.114;::ffff:40.97.24.18;::ffff:40.97.228.178;::ffff:40.97.155.178;::ffff:40.97.31.50;::ffff:52.96.37.34;::ffff:40.97.124.18;::ffff:40.97.24.50;::ffff:40.97.230.178;::ffff:52

Here is a link to the discussion post I started in regards to what to expect of Sysmon:
https://social.technet.microsoft.com/Forums/en-US/27010f2b-61c4-4051-a1d7-9cf681c87d7f/sysmon-dns-query-results-are-truncated?forum=windowsinternals
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 11, 2020
@nicpenning
Copy link
Contributor Author

@andrewkroh Hope this helps!

@andrewkroh andrewkroh changed the title [WinLogBeat] [SysMon] dns.resolved_ip - not an IP string literal [Winlogbeat] [Sysmon] dns.resolved_ip - not an IP string literal May 11, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 11, 2020
@andrewkroh andrewkroh mentioned this issue May 11, 2020
Merged
3 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue May 11, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses
7b31d06 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432
@andrewkroh
Copy link
Member

Fix: #18436

andrewkroh added a commit that referenced this issue May 12, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (#18436)
ecd0f72 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432
@andrewkroh andrewkroh mentioned this issue May 12, 2020
Merged
3 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue May 12, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (elastic#18436)
e6f8012 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432

(cherry picked from commit ecd0f72)
@andrewkroh andrewkroh mentioned this issue May 12, 2020
Merged
3 tasks
andrewkroh added a commit to andrewkroh/beats that referenced this issue May 12, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (elastic#18436)
d306877 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes elastic#18432

(cherry picked from commit ecd0f72)
andrewkroh added a commit that referenced this issue May 13, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (#18436) (#18469)
d279ff7 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432

(cherry picked from commit ecd0f72)
andrewkroh added a commit that referenced this issue May 13, 2020
@andrewkroh
Don't set dns.resolved_ip with invalid IP addresses (#18436) (#18468)
5fd3577 
Sometimes the DNS IP addresses from Sysmon in `winlog.event_data.QueryResults` are truncated.
The leads to mapping exceptions since the value is not of type `ip` in Elasticsearch.

To fix this the module will now filter any results that are not valid IP addresses.

Fixes #18432

(cherry picked from commit ecd0f72)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Don't set dns.resolved_ip with invalid IP addresses andrewkroh/beats
3 participants
@andrewkroh @nicpenning @elasticmachine