Error: Cannot invoke "java.lang.CharSequence.length()" because "this.wrapped" is null

Hey Folks,
I ran into this error when I tried to run my logstash pipeline

[2021-10-06T21:41:34,176][WARN ][logstash.outputs.elasticsearch][logstash_pipeline_2][e957447bf4995516c816dfcbd573d1dabd794c31f242e6642bc68deb57a3a436] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"winlogbeat-clientxxx", :routing=>nil, :pipeline=>"winlogbeat-pipeline"}, {"message"=>"An operation was attempted on a privileged object.\n\nSubject:\n\tSecurity ID:\t\tS-1-5-21-1479276569-2394031586-3536476750-1025\n\tAccount Name:\t\txxxRedactedxxx\n\tAccount Domain:\t\thost--clientxxx\n\tLogon ID:\t\t0x1083839\n\nObject:\n\tObject Server:\tSecurity\n\tObject Type:\tSection\n\tObject Name:\t\\BaseNamedObjects\\xxxRedactedxxx::ipc::shm::iam::5555_svr_13230\n\tObject Handle:\t0x1d8\n\nProcess Information:\n\tProcess ID:\t0x1258\n\tProcess Name:\tC:\\Program Files\\xxxRedactedxxx\\xxxRedactedxxx\\iam\\util\\xxxRedactedxxx.exe\n\nRequested Operation:\n\tDesired Access:\tDELETE\n\t\t\t\tREAD_CONTROL\n\t\t\t\tWRITE_DAC\n\t\t\t\tWRITE_OWNER\n\t\t\t\tQuery section state\n\t\t\t\tMap section for write\n\t\t\t\tMap section for read\n\t\t\t\tMap section for execute\n\t\t\t\tExtend size\n\t\t\t\t\n\tPrivileges:\t\tSeTakeOwnershipPrivilege", "organization"=>{"id"=>"clientxxx"}, "@timestamp"=>2021-10-06T21:41:31.566Z, "cloud"=>{"account"=>{"id"=>"xxxRedactedxxx"}, "image"=>{"id"=>"ami-xxxRedactedxxx"}, "instance"=>{"id"=>"i-xxxRedactedxxx"}, "region"=>"xxxRedactedxxx-1", "machine"=>{"type"=>"t3a.large"}, "provider"=>"aws", "availability_zone"=>"xxxRedactedxxx-1a"}, "event"=>{"created"=>"2021-10-06T21:41:32.941Z", "kind"=>"event", "action"=>"Sensitive Privilege Use", "code"=>4674}, "host"=>{"hostname"=>"host--clientxxx", "architecture"=>"x86_64", "name"=>"host--clientxxx", "os"=>{"build"=>"14393.4583", "platform"=>"windows", "name"=>"Windows Server 2016 Datacenter", "family"=>"windows", "kernel"=>"10.0.14393.4583 (rs1_release.210730-1850)", "version"=>"10.0"}, "id"=>"2acbf5b2-7116-40cb-bc7e-967c66947ce5"}, "winlog"=>{"provider_guid"=>"{54849625-5478-4994-A5BA-3E3B0328C30D}", "task"=>"Sensitive Privilege Use", "provider_name"=>"Microsoft-Windows-Security-Auditing", "event_data"=>{"ObjectType"=>"Section", "ObjectServer"=>"Security", "SubjectDomainName"=>"host--clientxxx", "HandleId"=>"0x1d8", "ProcessName"=>"C:\\Program Files\\xxxRedactedxxx\\xxxRedactedxxx\\iam\\util\\xxxRedactedxxx.exe", "SubjectUserSid"=>"S-1-5-21-1479276569-2394031586-3536476750-1025", "ObjectName"=>"\\BaseNamedObjects\\xxxRedactedxxx::ipc::shm::iam::5555_svr_13230", "SubjectUserName"=>"xxxRedactedxxx", "PrivilegeList"=>"SeTakeOwnershipPrivilege", "SubjectLogonId"=>"0x1083839", "AccessMask"=>"%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%4512\n\t\t\t\t%%4513\n\t\t\t\t%%4514\n\t\t\t\t%%4515\n\t\t\t\t%%4516\n\t\t\t\t", "ProcessId"=>"0x1258"}, "api"=>"wineventlog", "keywords"=>["Audit Success"], "computer_name"=>"host--clientxxx.xxxRedactedxxx.xxxRedactedxxx-id.net", "event_id"=>4674, "process"=>{"pid"=>4, "thread"=>{"id"=>32}}, "opcode"=>"Info", "channel"=>"Security", "record_id"=>24860220}, "ecs"=>{"version"=>"1.1.0"}, "tags"=>["beats_input_codec_plain_applied"], "agent"=>{"hostname"=>"host--clientxxx", "type"=>"winlogbeat", "ephemeral_id"=>"4f2356d7-4a14-48bb-a181-20c890c3a8b4", "version"=>"7.4.2", "id"=>"6c4c0182-1632-4458-a51e-28338749b12a"}, "log"=>{"level"=>"information"}, "@version"=>"1"}], :response=>{"index"=>{"_index"=>"winlogbeat-clientxxx", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["ctx?.event?.provider ==~ /xxxRedactedxxx.*/", "          ^---- HERE"], "script"=>"ctx?.event?.provider ==~ /xxxRedactedxxx.*/", "lang"=>"painless", "position"=>{"offset"=>10, "start"=>0, "end"=>36}, "caused_by"=>{"type"=>"null_pointer_exception", "reason"=>"Cannot invoke \"java.lang.CharSequence.length()\" because \"this.wrapped\" is null"}}}}}

If I highlight the error reason

"reason"=>"Cannot invoke \"java.lang.CharSequence.length()\" because \"this.wrapped\" is null"

My pipeline look like this

input {
  beats {
    port => "5055"
    host => "0.0.0.0"
  }
}
filter { 
---------------------------- I'm sure there is nothing wrong with this part because it was working without errors before ----------------------------
}
output {
  if [organization][id] and [@metadata][beat] == "filebeat" {
    if [@metadata][pipeline] {
      elasticsearch {
        ssl => true
        hosts => ["xxxRedactedxxx:9243"]
        index => "%{[@metadata][beat]}-%{[organization][id]}"
        pipeline => "%{[@metadata][pipeline]}"
        user => xxxRedactedxxx
        password => "xxxRedactedxxx"
        ilm_enabled => false
        "action" => "create"
      }      
    } 
    else {
      elasticsearch {
        ssl => true
        hosts => ["xxxRedactedxxx:9243"]
        index => "%{[@metadata][beat]}-%{[organization][id]}"
        user => xxxRedactedxxx
        password => "xxxRedactedxxx"
        ilm_enabled => false
        pipeline => "reindex-filebeat-2020-11-10"
        "action" => "create"
      }
    }
  }
  # Winlogbeat
  else if [@metadata][beat] == "winlogbeat" {
      elasticsearch {
        ssl => true
        hosts => ["xxxRedactedxxx:9243"]
        index => "%{[@metadata][beat]}-%{[organization][id]}"
        pipeline => "winlogbeat-xxxRedactedxxx"
        user => xxxRedactedxxx
        password => "xxxRedactedxxx"
        ilm_enabled => false
      }
      s3 {
        aws_credentials_file => "/xxxRedactedxxx/xxxRedactedxxx/xxxRedactedxxx/credentials.yml"
        region => "xxxRedactedxxx"
        bucket => "xxxRedactedxxx"
        additional_settings => {
        force_path_style => true
        follow_redirects => false
      }
    prefix => "%{[organization][id]}/%{[host][hostname]}"
  }
  }
}

I would say that what you have there is an Elasticsearch question, not a logstash question.

logstash is logging the 400 status code that Elasticsearch returned when it tried to index a document that logstash sent it.

The exception is a script_exception. You do not have any scripts in your Elasticsearch outputs, so that suggest that maybe you have scripts in your index mapping.

I would suggest using curl to index that document directly to Elasticsearch using the Bulk API. Then look at the scripts in the mapping. If at that point you are still stuck post a question in the Elasticsearch forum.

1 Like