Hello everyone! I was studying the system/security decoder and I noticed that in the expected ones, the paths of records or files are with double backslashes. I understand that it is to escape the bar that already brings the windows event. But here comes my doubt. What event do they take? the overview event or the xml event? because the xml event already comes with the escape, so the output in elastic should have 4 backslashes instead of 2. unless it is not the xml event that is being taken. I have this doubt since I saw that the events are in evtx format. example: integrations/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json at 3d69d50f4c2aede1e9b7472485a6a06d8619d702 · elastic/integrations · GitHub
Winlogbeat is unmarshalling the xml
Are you sure you're reading/viewing the xml data correctly?
Hi lesio! The confusion arises when you see how the events are in your xml view:
I noticed that in its general view the paths come out with a backslash and in the xml view they come out with two backslashes (due to the escape character). When transforming this into json, shouldn't it be escaped again to preserve the two backslashes, leaving \\ instead of \?
Anyone can correct me. I did some digging on the source code, it seems in transforming the event into json, winlogbeat isn't trying to preserve the format of raw XML input, rather, it preserves the information.
This should be the UnmarshalXML function Leszek mentioned:
which eventually calls into this decode function to decode the raw XML:
It seems when dealing with Windows paths, the goal is to be able to locate the original paths from the json. I believe the path strings we see in json is expected.
I see, honestly I didn't even know the xml view exist in Kibana.
It is somewhat confusing that in some places the paths must be escaped and in others not. I stepped on this problem a few times, but I forgot where it was.