-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
windows_eventlog2 invalid/corrupt output #79
Comments
It's winevt_c or fluent-plugin-windows-evnetlog's issue. |
I guess that it may be solved by appropriate https://github.com/fluent/fluent-plugin-windows-eventlog#parameters |
I'm not sure but I don't think so. |
VALUE
wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen)
{
VALUE vstr;
CHAR* ptr;
int len = WideCharToMultiByte(cp, 0, wstr, clen, nullptr, 0, nullptr, nullptr);
ptr = ALLOCV_N(CHAR, vstr, len);
WideCharToMultiByte(cp, 0, wstr, clen, ptr, len, nullptr, nullptr);
VALUE str = rb_utf8_str_new_cstr(ptr);
ALLOCV_END(vstr);
return str;
} In winevt_c, probably the above function always called with |
More info. Using C# to write integer representations of the characters led me astray. There is no 03 ETX present. Instead it's a 13 (carriage return). I still don't know why it was printed to the screen as a 3. Here is a string snippet: Bytes as UTF-8:
Bytes as Unicode. After index 15 the Unicode conversion shows the true readable values.
|
@sunayk Could you try to use winevt_c master ( fluent-plugins-nursery/winevt_c@bc89d44 )? |
Describe the bug
Possible buffer overflow? Original issue posted on the Fluentd Google Group showed there were unexpected CJK characters in event logs. Upon further investigation these are not CJK characters, but rather botched unicode bytes appended to the original text after the "end of text" character. This leads me to believe the windows_eventlog2 plugin may be reading past the desired bytes in memory and grabbing extra data.
Here is how it looks:
"Description":"The resource loader failed to find MUI file.
㐳㈸‧獉畃牲湥㵴琧畲❥㸯⼼潂歯慭歲楌瑳>>䏐涔倀者䈼潯浫牡䱫獩㹴†䈼潯浫牡桃湡敮㵬洧捩潲潳瑦眭湩潤獷欭牥敮湰⽰潣普杩牵瑡潩❮删捥牯䥤㵤㈧㐱✱䤠䍳牵敲瑮✽牴敵⼧ാ㰊䈯潯浫牡䱫獩㹴㸀",
To Reproduce
Configure Fluentd to read all event logs with "read_all_channels true". This does not occur on the top-level Application, System, and Security logs. Coonfigure the match to dump all output to a local json file for convenience.
In the below code I had already narrowed it down to the wer-payloadhealth log, but that may not be consistent on every system, which is why I recommended using "read_all_channels true".
Expected behavior
The output json file will contain numerous Description elements with what appears to be CJK text. Many if not all will be associated with the what should be an empty Description.
The corresponding Description in Windows will likely be "The Description for event ID xx .... cannot be found."
Grab a Description text from the log and run it through a converter, such as the C# below:
string originalString = "paste string here";
foreach (char c in originalString)
{
byte[] utf8Bytes = Encoding.Unicode.GetBytes(c.ToString());
Console.WriteLine($"{(int)c} - { Encoding.UTF8.GetString(utf8Bytes)}");
}
EDIT the 3 printed below is actually "13" (carriage return).
Something that stands out is the "3", which is the "end of text" character. For now I can add a check to that in my code to signify what is valid text.
You can see after it gets past "10", the line feed character, everything goes a bit wonky.
Here is a snippet of the output:
Colums are Integer value - character
77 - M
85 - U
73 - I
32 -
102 - f
105 - i
108 - l
101 - e
46 - .
3 -
10 -
13363 - 34
12856 - 82
8231 - '
29513 - Is
30019 - Cu
29298 - rr
28261 - en
15732 - t=
29735 - 't
30066 - ru
10085 - e'
15919 - />
2573 -
Your Environment
Your Configuration
Your Error Log
Additional context
No response
The text was updated successfully, but these errors were encountered: