Custom Windows Event Logs integration painless script fails to parse winlog.user_data.Param8

[lurk-er]

Elasticsearch Version

8.17.1

Installed Plugins

fleet

Java Version

bundled

OS Version

docker container

Problem Description

there seems to be a bug with the painless script that handles winlog.user_data.Param8.

Steps to Reproduce

Set the custom windows event logs integration to ingest logs from failover clustering logs or the windows print service. winlog.user_data.Param8 should fail to be parsed causing your data to be unsearchable.

Logs (if relevant)

org.elasticsearch.server@8.17.1/org.elasticsearch.index.fielddata.ScriptDocValues.throwIfEmpty(ScriptDocValues.java:93) org.elasticsearch.server@8.17.1/org.elasticsearch.index.fielddata.ScriptDocValues$Strings.get(ScriptDocValues.java:483) org.elasticsearch.server@8.17.1/org.elasticsearch.index.fielddata.ScriptDocValues$Strings.getValue(ScriptDocValues.java:478) emit(Integer.parseInt(doc['winlog.user_data.Param8'].value)); } ^---- HERE

if (doc.containsKey('winlog.user_data.Param8') ) { ...

[nielsbauman]

Hi @lurk-er, thank you for taking the time to open an issue! This sounds more like an issue with the integration itself rather than Elasticsearch. https://github.com/elastic/integrations is likely the right place for this issue, so I'll go ahead and close this for now. Feel free to come back to this issue if it turns out the issue does originate from Elasticsearch.

[lurk-er]

I can move this to the integrations repo.