Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winlogbeat 6.6.2 sends utf-16 control codes (carriage return, line feed, tab) #11328

Closed
kevinwilcox opened this issue Mar 20, 2019 · 0 comments · Fixed by #11357
Closed

winlogbeat 6.6.2 sends utf-16 control codes (carriage return, line feed, tab) #11328

kevinwilcox opened this issue Mar 20, 2019 · 0 comments · Fixed by #11357
Assignees
@adriansr
Labels
Winlogbeat

Comments

@kevinwilcox
Copy link

kevinwilcox commented Mar 20, 2019
edited
Loading

winlogbeat version 6.6.2 x86_64
OS: Windows 10, Windows Server 2008R2
expected output: for multiline Windows event logs, "message" should have \n or \t
actual output: "message" field contains, e.g.,

"message" => "Special privileges assigned to new logon.\u000d\u000a\u000d\u000aSubject:\u000d\u000a\u0009Security ID:\u0009\u0009S-1-5-18\u000d\u000a\u0009Account Name:\u0009\u0009SYSTEM\u000d\u000a\u0009Account Domain:\u0009\u0009NT AUTHORITY\u000d\u000a\u0009Logon ID:\u0009\u00090x3E7\u000d\u000a\u000d\u000aPrivileges:\u0009\u0009SeAssignPrimaryTokenPrivilege\u000d\u000a\u0009\u0009\u0009SeTcbPrivilege\u000d\u000a\u0009\u0009\u0009SeSecurityPrivilege\u000d\u000a\u0009\u0009\u0009SeTakeOwnershipPrivilege\u000d\u000a\u0009\u0009\u0009SeLoadDriverPrivilege\u000d\u000a\u0009\u0009\u0009SeBackupPrivilege\u000d\u000a\u0009\u0009\u0009SeRestorePrivilege\u000d\u000a\u0009\u0009\u0009SeDebugPrivilege\u000d\u000a\u0009\u0009\u0009SeAuditPrivilege\u000d\u000a\u0009\u0009\u0009SeSystemEnvironmentPrivilege\u000d\u000a\u0009\u0009\u0009SeImpersonatePrivilege\u000d\u000a\u0009\u0009\u0009SeDelegateSessionUserImpersonatePrivilege",

=====================

To reproduce:

download any other version of winlogbeat, unzip, copy to c:\program files\winlogbeat, run install ps1 file. start/stop winlogbeat service to ensure everything works. rename winlogbeat to winlogbeat-.

with service stopped, download 6.6.1, unzip, copy to c:\program files\winlogbeat. copy in winlogbeat.yml. start-service winlogbeat.

=====================

relevant winlogbeat.yml config:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System
output.logstash:
  hosts: ["192.168.1.9:5044"]
processors:
- add_host_metadata:
    netinfo.enabled: true

=====================

192.168.1.9 is a logstash 6.6.x instance (tested with 6.6.1 and 6.6.2). logstash config is:

input { beats { port => 5044 } }
filter { }
output { if [event_id] in [4624, 4672] { stdout { codec => rubydebug } } }
adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF sequences
aeea9c4 
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328
@adriansr adriansr mentioned this issue Mar 21, 2019
Merged
adriansr added a commit that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (#11357)
6865403 
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328
adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
ea6b328 
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
@adriansr adriansr mentioned this issue Mar 21, 2019
Merged
adriansr added a commit that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (#11357) (#11369)
14ca49c 
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)
@adriansr adriansr mentioned this issue Mar 21, 2019
Merged
adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
9c8cbb6 
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
@adriansr adriansr mentioned this issue Mar 21, 2019
Closed
adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
bf39dd4 
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
@adriansr adriansr mentioned this issue Mar 21, 2019
Merged
adriansr added a commit to adriansr/beats that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (elastic#11357)
f52ad39 
Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
@adriansr adriansr mentioned this issue Mar 21, 2019
Merged
adriansr added a commit that referenced this issue Mar 21, 2019
@adriansr
Fix Winlogbeat escaping CRLF and TAB characters (#11357) (#11373)
d026281 
Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)
@leopucci leopucci mentioned this issue Mar 21, 2019
Closed
adriansr added a commit that referenced this issue Mar 22, 2019
@adriansr
Cherry-pick #11357 to 5.6: Fix Winlogbeat escaping CRLF sequences (#1…
3129969 
…1372)

Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)
adriansr added a commit that referenced this issue Mar 28, 2019
@adriansr
Cherry-pick #11357 to 6.6: Fix Winlogbeat escaping CRLF sequences (#1…
cc64201 
…1370)

Previous fix (#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes #11328

(cherry picked from commit 6865403)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cherry-pick elastic#11357 to 6.6: Fix Winlogbeat escaping CRLF sequen…
52ec4ad 
…ces (elastic#11370)

Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 5db0f15)
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@adriansr
Cherry-pick elastic#11357 to 5.6: Fix Winlogbeat escaping CRLF sequen…
2f03f6d 
…ces (elastic#11372)

Previous fix (elastic#11006) made Winlogbeat escape CRLF control characters
which are expected in Windows event logs.

Fixes elastic#11328

(cherry picked from commit 6865403)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@adriansr adriansr

Labels
Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Winlogbeat escaping CRLF sequences adriansr/beats
3 participants
@kevinwilcox @andrewkroh @adriansr