Elastic parsing error field type format incorrect

Hello, I am collecting windows event logs via MS windows event log collector and then forwarded to graylog via winlogbeats. I am getting alerts to parsing errors for a winlogbeat field shown below due to the field data being in the incorrect format. I verified the event logs that are failing have data in the "processcreationtime" field not in a date/time format. I also show an example of a event log below that is parsing properly with the correct date/time format. So I have a conflict here, with two different data format types. From reading I learned that dynamically elastic learns the type from the populated data, which it has. What do I do about the other logs that have the data in a different format? Edit: I bet it has something to do with winlogbeats.yml configuration, maybe under processors: ? Any recommendations?

graylog parsing error message

[type=mapper_parsing_exception, reason=failed to parse field [winlogbeat_winlog_event_data_ProcessCreationTime] of type [date] in document with id '9ae0bcb9-d2fa-11ed-ab3f-5ced8c62e140'. Preview of field's value: '0x1d96701c22c85b6']];

windows event log - parsing error due to field with wrong data format:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 

- <System> 

  <Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" />  

  <EventID>1000</EventID>  

  <Version>0</Version>  

  <Level>2</Level>  

  <Task>100</Task>  

  <Opcode>0</Opcode>  

  <Keywords>0x8000000000000000</Keywords>  

  <TimeCreated SystemTime="2023-04-04T15:08:46.4429091Z" />  

  <EventRecordID>8328</EventRecordID>  

  <Correlation />  

  <Execution ProcessID="17216" ThreadID="16092" />  

  <Channel>Application</Channel>  

  <Computer>xxxxxxxxxxxxl</Computer>  

  <Security UserID="xxxxxxxxxxxxxxxxxxxxxx" />  

  </System> 

- <EventData> 

  <Data Name="AppName">mmc.exe</Data>  

  <Data Name="AppVersion">10.0.22621.1</Data>  

  <Data Name="AppTimeStamp">151c64e4</Data>  

  <Data Name="ModuleName">mso20win32client.dll</Data>  

  <Data Name="ModuleVersion">0.0.0.0</Data>  

  <Data Name="ModuleTimeStamp">63e58f6a</Data>  

  <Data Name="ExceptionCode">01483052</Data>  

  <Data Name="FaultingOffset">000000000023176d</Data>  

  <Data Name="ProcessId">0x380c</Data>  

  <Data Name="ProcessCreationTime">0x1d96701c22c85b6</Data>  

  <Data Name="AppPath">C:\WINDOWS\system32\mmc.exe</Data>  

  <Data Name="ModulePath">C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll</Data>  

  <Data Name="IntegratorReportId">67b66e02-c754-41c6-9a15-0f38f97025e0</Data>  

  <Data Name="PackageFullName" />  

  <Data Name="PackageRelativeAppId" />  

  </EventData> 

  </Event> 

Event parsing properly with correct data format for field:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 

- <System> 

  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />  

  <EventID>5379</EventID>  

  <Version>0</Version>  

  <Level>0</Level>  

  <Task>13824</Task>  

  <Opcode>0</Opcode>  

  <Keywords>0x8020000000000000</Keywords>  

  <TimeCreated SystemTime="2023-04-04T17:41:37.3849558Z" />  

  <EventRecordID>25376954</EventRecordID>  

  <Correlation ActivityID="{8dc0fab5-6229-0002-eefa-c08d2962d901}" />  

  <Execution ProcessID="1148" ThreadID="15828" />  

  <Channel>Security</Channel>  

  <Computer>xxxxxxxxxxxxxxx</Computer>  

  <Security />  

  </System> 

- <EventData> 

  <Data Name="SubjectUserSid">xxxxxxxxxxxxxxxxxxx</Data>  

  <Data Name="SubjectUserName">xxxxxxx</Data>  

  <Data Name="SubjectDomainName">xxxxxxx</Data>  

  <Data Name="SubjectLogonId">0xxxxxxx</Data>  

  <Data Name="TargetName">MicrosoftOffice16_Data:live:cid=*</Data>  

  <Data Name="Type">0</Data>  

  <Data Name="CountOfCredentialsReturned">0</Data>  

  <Data Name="ReadOperation">%%8100</Data>  

  <Data Name="ReturnCode">3221226021</Data>  

  <Data Name="ProcessCreationTime">2023-04-03T00:57:16.4942675Z</Data>  

  <Data Name="ClientProcessId">3808</Data>  

  </EventData> 

  </Event> 

We are exploring creating a pipeline process in Graylog to either change the value for this field to be a string rather than datetime for all data going into the field
OR
Match on the field AND if the field data does not match datetime format and create a new field to enter this data. Any pros able to assist in writing this? We current tried this rule however it did not work. Thanks

rule "Catch Error"
when
has_field("ProcessCreationTime")
then
set_field("ProcessCreationTime", to_string(has_field("ProcessCreationTime")));
end

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.