Hey Folks,
I ran into this error when I tried to run my logstash pipeline
[2021-10-06T21:41:34,176][WARN ][logstash.outputs.elasticsearch][logstash_pipeline_2][e957447bf4995516c816dfcbd573d1dabd794c31f242e6642bc68deb57a3a436] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-clientxxx", :routing=>nil, :pipeline=>"winlogbeat-pipeline"}, {"message"=>"An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1479276569-2394031586-3536476750-1025\n\tAccount Name:\t\txxxRedactedxxx\n\tAccount Domain:\t\thost--clientxxx\n\tLogon ID:\t\t0x1083839\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tSection\n\tObject Name:\t\\BaseNamedObjects\\xxxRedactedxxx::ipc::shm::iam::5555_svr_13230\n\tObject Handle:\t0x1d8\n\nProcess Information:\n\tProcess ID:\t0x1258\n\tProcess Name:\tC:\\Program Files\\xxxRedactedxxx\\xxxRedactedxxx\\iam\\util\\xxxRedactedxxx.exe\n\nRequested Operation:\n\tDesired Access:\tDELETE\n\t\t\t\tREAD_CONTROL\n\t\t\t\tWRITE_DAC\n\t\t\t\tWRITE_OWNER\n\t\t\t\tQuery section state\n\t\t\t\tMap section for write\n\t\t\t\tMap section for read\n\t\t\t\tMap section for execute\n\t\t\t\tExtend size\n\t\t\t\t\n\tPrivileges:\t\tSeTakeOwnershipPrivilege", "organization"=>{"id"=>"clientxxx"}, "@timestamp"=>2021-10-06T21:41:31.566Z, "cloud"=>{"account"=>{"id"=>"xxxRedactedxxx"}, "image"=>{"id"=>"ami-xxxRedactedxxx"}, "instance"=>{"id"=>"i-xxxRedactedxxx"}, "region"=>"xxxRedactedxxx-1", "machine"=>{"type"=>"t3a.large"}, "provider"=>"aws", "availability_zone"=>"xxxRedactedxxx-1a"}, "event"=>{"created"=>"2021-10-06T21:41:32.941Z", "kind"=>"event", "action"=>"Sensitive Privilege Use", "code"=>4674}, "host"=>{"hostname"=>"host--clientxxx", "architecture"=>"x86_64", "name"=>"host--clientxxx", "os"=>{"build"=>"14393.4583", "platform"=>"windows", "name"=>"Windows Server 2016 Datacenter", "family"=>"windows", "kernel"=>"10.0.14393.4583 (rs1_release.210730-1850)", "version"=>"10.0"}, "id"=>"2acbf5b2-7116-40cb-bc7e-967c66947ce5"}, "winlog"=>{"provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "task"=>"Sensitive Privilege Use", "provider_name"=>"Microsoft-Windows-Security-Auditing", "event_data"=>{"ObjectType"=>"Section", "ObjectServer"=>"Security", "SubjectDomainName"=>"host--clientxxx", "HandleId"=>"0x1d8", "ProcessName"=>"C:\\Program Files\\xxxRedactedxxx\\xxxRedactedxxx\\iam\\util\\xxxRedactedxxx.exe", "SubjectUserSid"=>"S-1-5-21-1479276569-2394031586-3536476750-1025", "ObjectName"=>"\\BaseNamedObjects\\xxxRedactedxxx::ipc::shm::iam::5555_svr_13230", "SubjectUserName"=>"xxxRedactedxxx", "PrivilegeList"=>"SeTakeOwnershipPrivilege", "SubjectLogonId"=>"0x1083839", "AccessMask"=>"%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%4512\n\t\t\t\t%%4513\n\t\t\t\t%%4514\n\t\t\t\t%%4515\n\t\t\t\t%%4516\n\t\t\t\t", "ProcessId"=>"0x1258"}, "api"=>"wineventlog", "keywords"=>["Audit Success"], "computer_name"=>"host--clientxxx.xxxRedactedxxx.xxxRedactedxxx-id.net", "event_id"=>4674, "process"=>{"pid"=>4, "thread"=>{"id"=>32}}, "opcode"=>"Info", "channel"=>"Security", "record_id"=>24860220}, "ecs"=>{"version"=>"1.1.0"}, "tags"=>["beats_input_codec_plain_applied"], "agent"=>{"hostname"=>"host--clientxxx", "type"=>"winlogbeat", "ephemeral_id"=>"4f2356d7-4a14-48bb-a181-20c890c3a8b4", "version"=>"7.4.2", "id"=>"6c4c0182-1632-4458-a51e-28338749b12a"}, "log"=>{"level"=>"information"}, "@version"=>"1"}], :response=>{"index"=>{"_index"=>"winlogbeat-clientxxx", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["ctx?.event?.provider ==~ /xxxRedactedxxx.*/", " ^---- HERE"], "script"=>"ctx?.event?.provider ==~ /xxxRedactedxxx.*/", "lang"=>"painless", "position"=>{"offset"=>10, "start"=>0, "end"=>36}, "caused_by"=>{"type"=>"null_pointer_exception", "reason"=>"Cannot invoke \"java.lang.CharSequence.length()\" because \"this.wrapped\" is null"}}}}}
If I highlight the error reason
"reason"=>"Cannot invoke \"java.lang.CharSequence.length()\" because \"this.wrapped\" is null"
My pipeline look like this
input {
beats {
port => "5055"
host => "0.0.0.0"
}
}
filter {
---------------------------- I'm sure there is nothing wrong with this part because it was working without errors before ----------------------------
}
output {
if [organization][id] and [@metadata][beat] == "filebeat" {
if [@metadata][pipeline] {
elasticsearch {
ssl => true
hosts => ["xxxRedactedxxx:9243"]
index => "%{[@metadata][beat]}-%{[organization][id]}"
pipeline => "%{[@metadata][pipeline]}"
user => xxxRedactedxxx
password => "xxxRedactedxxx"
ilm_enabled => false
"action" => "create"
}
}
else {
elasticsearch {
ssl => true
hosts => ["xxxRedactedxxx:9243"]
index => "%{[@metadata][beat]}-%{[organization][id]}"
user => xxxRedactedxxx
password => "xxxRedactedxxx"
ilm_enabled => false
pipeline => "reindex-filebeat-2020-11-10"
"action" => "create"
}
}
}
# Winlogbeat
else if [@metadata][beat] == "winlogbeat" {
elasticsearch {
ssl => true
hosts => ["xxxRedactedxxx:9243"]
index => "%{[@metadata][beat]}-%{[organization][id]}"
pipeline => "winlogbeat-xxxRedactedxxx"
user => xxxRedactedxxx
password => "xxxRedactedxxx"
ilm_enabled => false
}
s3 {
aws_credentials_file => "/xxxRedactedxxx/xxxRedactedxxx/xxxRedactedxxx/credentials.yml"
region => "xxxRedactedxxx"
bucket => "xxxRedactedxxx"
additional_settings => {
force_path_style => true
follow_redirects => false
}
prefix => "%{[organization][id]}/%{[host][hostname]}"
}
}
}