[Winlogbeat] Ignore non-compliant event version values #15838
Description
The XML schema for Windows event logs defines the Version as an unsignedByte (reference). It contains the version number of the event's definition.
<xs:element name="Version"
type="unsignedByte"
/>Events containing Version values that are not uint8 will cause the XML parser to return an error. This results in an event from Winlogbeat with an error.message an not much usable data.
{
"@metadata": {
"beat": "winlogbeat",
"type": "_doc",
"version": "8.0.0"
},
"@timestamp": "0001-01-01T00:00:00.000Z",
"agent": {
"ephemeral_id": "df2506e7-02ed-483d-ad29-71ce21c33568",
"hostname": "vagrant",
"id": "29845c4d-9a56-426f-b12f-7c930602301b",
"type": "winlogbeat",
"version": "8.0.0"
},
"ecs": {
"version": "1.4.0"
},
"error": {
"message": "strconv.ParseUint: parsing \"101.3\": invalid syntax"
},
"event": {
"code": 4656,
"created": "2020-01-24T20:31:06.581Z",
"kind": "event",
"original": "<Event xmlns='http://schemas.netapp.com/events/event'><System><Provider Name='NetApp-Security-Auditing' Guid='{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}'/><EventID>4656</EventID><EventName>Open Object</EventName><Version>101.3</Version><Source>CIFS</Source><Level>0</Level><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><Result>Audit Success</Result><TimeCreated SystemTime='2019-03-26T23:27:07.015494000Z'/><Correlation/><Channel>Security</Channel><Computer>anvil/vs-anvil</Computer><ComputerUUID>b5552ea8-5ae2-11e6-b524-00a098a5d936/91f499cd-5cfe-11e6-b525-00a098a5d936</ComputerUUID><Security/></System><EventData><Data Name='SubjectIP' IPVersion='4'>192.168.1.2</Data><Data Name='SubjectHostname' Source=''></Data><Data Name='SubjectUnix' Uid='65534' Gid='65534' Local='false'/><Data Name='SubjectUserSid'>S-1-5-21-2770437333-1905433116-4256127273-1282</Data><Data Name='SubjectUserIsLocal'>false</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='SubjectUserName'>john.doe</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='HandleID'>00000000000000;00;00000000;00000000</Data><Data Name='ObjectName'>(workshop_fg);/path/09.jpg</Data><Data Name='AccessList'>%%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 %%1538 </Data><Data Name='AccessMask'>8607</Data><Data Name='DesiredAccess'>Read Data; List Directory; Write Data; Add File; Append Data; Add Subdirectory; Read Extended Attributes; Write Extended Attributes; Read Attributes; Write Attributes; Read ACL; </Data><Data Name='Attributes'>Set Attributes; Create; Open a non-directory; </Data></EventData></Event>",
"provider": "NetApp-Security-Auditing"
},
"host": {
"name": "vagrant"
},
"log": {
"file": {
"path": "C:\\vagrant\\winlogbeat\\sys\\wineventlog\\testdata\\netapp-example.evtx"
},
"level": "information"
},
"winlog": {
"api": "wineventlog",
"channel": "",
"event_id": 4656,
"provider_guid": "{3CB2A168-FE19-4A4E-BDAD-DCF422F13473}",
"provider_name": "NetApp-Security-Auditing",
"record_id": 0,
"task": ""
}
}
I propose we make the parsing of Version more lenient and simply drop values that are non in the uint8 range. We cannot change the type of winlog.version, which is long in Elasticsearch, without a breaking change.