Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

winlogbeat 6.6.2 sends utf-16 control codes (carriage return, line feed, tab) #11328

Closed
kevinwilcox opened this issue Mar 20, 2019 · 0 comments

Comments

Projects
None yet
3 participants
@kevinwilcox
Copy link

commented Mar 20, 2019

winlogbeat version 6.6.2 x86_64
OS: Windows 10, Windows Server 2008R2
expected output: for multiline Windows event logs, "message" should have \n or \t
actual output: "message" field contains, e.g.,

"message" => "Special privileges assigned to new logon.\u000d\u000a\u000d\u000aSubject:\u000d\u000a\u0009Security ID:\u0009\u0009S-1-5-18\u000d\u000a\u0009Account Name:\u0009\u0009SYSTEM\u000d\u000a\u0009Account Domain:\u0009\u0009NT AUTHORITY\u000d\u000a\u0009Logon ID:\u0009\u00090x3E7\u000d\u000a\u000d\u000aPrivileges:\u0009\u0009SeAssignPrimaryTokenPrivilege\u000d\u000a\u0009\u0009\u0009SeTcbPrivilege\u000d\u000a\u0009\u0009\u0009SeSecurityPrivilege\u000d\u000a\u0009\u0009\u0009SeTakeOwnershipPrivilege\u000d\u000a\u0009\u0009\u0009SeLoadDriverPrivilege\u000d\u000a\u0009\u0009\u0009SeBackupPrivilege\u000d\u000a\u0009\u0009\u0009SeRestorePrivilege\u000d\u000a\u0009\u0009\u0009SeDebugPrivilege\u000d\u000a\u0009\u0009\u0009SeAuditPrivilege\u000d\u000a\u0009\u0009\u0009SeSystemEnvironmentPrivilege\u000d\u000a\u0009\u0009\u0009SeImpersonatePrivilege\u000d\u000a\u0009\u0009\u0009SeDelegateSessionUserImpersonatePrivilege",

=====================

To reproduce:

download any other version of winlogbeat, unzip, copy to c:\program files\winlogbeat, run install ps1 file. start/stop winlogbeat service to ensure everything works. rename winlogbeat to winlogbeat-.

with service stopped, download 6.6.1, unzip, copy to c:\program files\winlogbeat. copy in winlogbeat.yml. start-service winlogbeat.

=====================

relevant winlogbeat.yml config:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
output.logstash:
  hosts: ["192.168.1.9:5044"]
processors:
- add_host_metadata:
    netinfo.enabled: true

=====================

192.168.1.9 is a logstash 6.6.x instance (tested with 6.6.1 and 6.6.2). logstash config is:

input { beats { port => 5044 } }
filter { }
output { if [event_id] in [4624, 4672] { stdout { codec => rubydebug } } }

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF sequences
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

adriansr added a commit that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (#11357)
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)

adriansr added a commit that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (#11357) (#11369)
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)

adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)

adriansr added a commit that referenced this issue Mar 21, 2019

Fix Winlogbeat escaping CRLF and TAB characters (#11357) (#11373)
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)

adriansr added a commit that referenced this issue Mar 22, 2019

Cherry-pick #11357 to 5.6: Fix Winlogbeat escaping CRLF sequences (#1…
…1372)

Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)

adriansr added a commit that referenced this issue Mar 28, 2019

Cherry-pick #11357 to 6.6: Fix Winlogbeat escaping CRLF sequences (#1…
…1370)

Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)

DebashisMondal added a commit to DebashisMondal/beats that referenced this issue May 10, 2019

Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.