fix truncated event log message #41327
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
intxgo
added
bugfix
backport-8.15
botelastic
bot
added
the
needs_team
intxgo
added
the
Team:Security-Windows Platform
Contributor
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
botelastic
bot
removed
the
needs_team
Contributor
|
|
mergify
bot
added
the
backport-8.x
Contributor
Author
I'm not sure how can I do it on Windows, it seems to be Linux hint? |
matthewscherer
approved these changes
Oct 21, 2024
matthewscherer
left a comment
matthewscherer
left a comment
There was a problem hiding this comment.
Did you add any tests for this case as well?
|
|
||
| var bufferPtr *byte | ||
| if renderBuf != nil { | ||
| if len(renderBuf) > 0 { |
| // this behavior is bad for EvtFormatMessageKeyword as then the API returns a list of null terminated | ||
| // strings in the buffer (it's fine for now as we don't use this parameter value). | ||
| return common.UTF16ToUTF8Bytes(renderBuf, out) | ||
| // bufferUsed indicates the size used internally to render the message. When called with nil buffer |
There was a problem hiding this comment.
At some point it might be nice to profile this code and see how many time we actually see an insufficient buffer size passed to EvtFormatMessage(). I guess it's hard to know which messages our customers are using the most and which ones usually overrun this buffer.
Contributor
Author
There was a problem hiding this comment.
Yes, that's why I opted to increase the scratch buffer significantly to avoid double rendering. The size of the scratch buffer is still insignificant as it's only one buffer per event channel. Anyway unused memory from the buffer will just get paged out at runtime.
No I didn't add any test for the truncation as with having the fallback of allocating memory from the pool this should always succeed.
gabriellandau
previously requested changes
Oct 21, 2024
marc-gr
reviewed
Oct 22, 2024
marc-gr
approved these changes
Oct 22, 2024
mergify bot
pushed a commit
that referenced
this pull request
Oct 22, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb)
6 tasks
mergify bot
pushed a commit
that referenced
this pull request
Oct 22, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb)
mergify bot
pushed a commit
that referenced
this pull request
Oct 22, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb)
This was referenced Oct 22, 2024
intxgo
added a commit
that referenced
this pull request
Oct 23, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb) Co-authored-by: Leszek Kubik <[email protected]>
intxgo
added a commit
that referenced
this pull request
Oct 23, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb) Co-authored-by: Leszek Kubik <[email protected]>
intxgo
added a commit
that referenced
this pull request
Oct 23, 2024
* fix truncated event log * changelog * fix warning * fix golint * playing hide an catch with CI * size in bytes * review * code review * add comment, unify code path * refactor code (cherry picked from commit 99d11eb) Co-authored-by: Leszek Kubik <[email protected]>
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes
Proposed commit message
Fix windows event log ingest issues caused by event message truncation.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Disruptive User Impact
Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs