Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[pkg/stanza] eventData for Windows event logs should be a map if possible #20547

Closed
swiatekm opened this issue Apr 3, 2023 · 3 comments
Closed

[pkg/stanza] eventData for Windows event logs should be a map if possible #20547

swiatekm opened this issue Apr 3, 2023 · 3 comments
Assignees
@swiatekm
Labels
bug Something isn't working pkg/stanza

Comments

@swiatekm
Copy link
Contributor

swiatekm commented Apr 3, 2023
edited
Loading

Component(s)

pkg/stanza

What happened?

Description

Windows events have an eventData field, which contains data specific to the event type. The windows input in stanza currently parses this as a slice of strings, which it populates with the entry values. However, the entries can also have names, and in that case, it makes more sense for this to be a map.

For example:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>5159</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12810</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2019-04-19T07:36:55.955388300Z" />
        <EventRecordID>44097</EventRecordID>
        <Correlation />
        <Execution ProcessID="4" ThreadID="6480" />
        <Channel>Security</Channel>
        <Computer>DC01.contoso.local</Computer>
        <Security />
    </System>
    <EventData>
        <Data Name="ProcessId">7924</Data>
        <Data Name="Application">\device\harddiskvolume2\users\test\desktop\netcat\nc.exe</Data>
        <Data Name="SourceAddress">0.0.0.0</Data>
        <Data Name="SourcePort">5555</Data>
        <Data Name="Protocol">6</Data>
        <Data Name="FilterRTID">84614</Data>
        <Data Name="LayerName">%%14608</Data>
        <Data Name="LayerRTID">36</Data>
    </EventData>
</Event>

See here for reference.

Steps to Reproduce

Any use of the windowseventlog receiver will show the problem. I've included the output for the example above below.

Expected Result

I'd expect to get the following for the example above:

{
  ...
  "event_data": {
    "ProcessId": "7924",
    "Application": "\\device\\harddiskvolume2\\users\test\\desktop\\netcat\\nc.exe",
    "SourceAddress": "0.0.0.0",
    "SourcePort": "5555",
    "Protocol": "6",
    "FilterRTID": "84614",
    "LayerName": "%%14608",
    "LayerRTID": "36"
  }
}

Actual Result

{
  ...
  "event_data": [
    "7924",
    "\\device\\harddiskvolume2\\users\\test\\desktop\\netcat\\nc.exe",
    "0.0.0.0",
    "5555",
    "6",
    "84614",
    "%%14608",
    "36"
  ]
}

Collector version

All recent versions

Environment information

No response

OpenTelemetry Collector configuration

No response

Log output

No response

Additional context

No response
@swiatekm swiatekm added bug Something isn't working needs triage New item requiring triage labels Apr 3, 2023
@swiatekm swiatekm changed the title eventData for Windows event logs should be a map if possible [pkg/stanza] eventData for Windows event logs should be a map if possible Apr 3, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Apr 3, 2023

Pinging code owners:

See Adding Labels via Comments if you do not have permissions to add labels yourself.

@swiatekm
Copy link
Contributor Author

swiatekm commented Apr 3, 2023

@djaglowski I have a fix ready to go, so you can assign directly to me if you think the change is obvious enough. I think it's technically breaking, but realistically nobody was actually depending on this, as it's basically unusuable in its current state.

@swiatekm swiatekm mentioned this issue Apr 3, 2023
Merged
@atoulme atoulme removed the needs triage New item requiring triage label Apr 5, 2023
@swiatekm
Copy link
Contributor Author

Fixed in #20882

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@swiatekm swiatekm

Labels
bug Something isn't working pkg/stanza
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atoulme @swiatekm