I am trying to determine why I am getting so many Powershell parsing errors for event.code 800 events when ingesting with winlogbeat v 7.17.5. I'm seeing more than 50% of these ingested events being tagged with "_js_exception". GoError - could not find delimeter "=" in remaining...
The majority of these scripts are from Microsoft SCOM server.
I'm getting many thousands of these, but below is one example.
Wondering if it is related to volume of events or the format of the messages ?
GoError: could not find delimiter: = in remaining: {Add-Type -TypeDefinition $x509Signature}, (offset: 397)
Message field
Pipeline execution details for command line: {Add-Type -TypeDefinition $x509Signature}
.
Context Information:
DetailSequence=1
DetailTotal=1
SequenceNumber=29811
UserId=SGINFO\SYSTEM
HostName=OpsMgr PowerShell Host
HostVersion=7.0.5000.0
HostId=f7dbb0cc-c7b2-4259-8b0e-c5e812cd0269
HostApplication=C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe -Embedding
EngineVersion=5.1.19041.1682
RunspaceId=c21d52d7-65d1-4032-a089-ebab117470ec
PipelineId=2
ScriptName=
CommandLine= {Add-Type -TypeDefinition $x509Signature}
Details:
CommandInvocation(Add-Type): "Add-Type"
ParameterBinding(Add-Type): name="TypeDefinition"; value=" using System;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
namespace SystemCenterCentral
{
namespace Utilities
{
namespace Certificates
{
public class X509CRL2
{
public int Version;
public string Type;
public X500DistinguishedName IssuerDN;
public string Issuer;
public DateTime ThisUpdate;
public DateTime NextUpdate;
public Oid SignatureAlgorithm;
public X509ExtensionCollection Extensions;
// no need to know every single entry
// public X509CRLEntry[] RevokedCertificates;
public uint RevokedCertificateCount;
//public byte[] RawData;
}
//no need for CRL entries at the moment
//public class X509CRLEntry
//{
// public string SerialNumber;
// public DateTime RevocationDate;
// public int ReasonCode;
// public string ReasonMessage;
//}
public class Helper {
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int CertCreateCRLContext(
int dwCertEncodingType,
IntPtr pbCrlEncoded,
int cbCrlEncoded
);
[DllImport("crypt32.dll", EntryPoint="CertEnumCertificatesInStore", CharSet=CharSet.Auto, SetLastError=true)]
public static extern IntPtr CertEnumCertificatesInStore(
IntPtr storeProvider,
IntPtr prevCertContext);
[DllImport("crypt32.dll", EntryPoint="CertEnumCRLsInStore", CharSet=CharSet.Auto, SetLastError=true)]
public static extern IntPtr CertEnumCRLsInStore(
IntPtr storeProvider,
IntPtr prevCrlContext);
[DllImport("crypt32.dll", EntryPoint="CertEnumCTLsInStore", CharSet=CharSet.Auto, SetLastError=true)]
public static extern IntPtr CertEnumCTLsInStore(
IntPtr storeProvider,
IntPtr prevCtlContext);
[DllImport("crypt32.dll", SetLastError = true)]
public static extern Boolean CertFreeCRLContext(
IntPtr pCrlContext
);
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern int CertNameToStr(
int dwCertEncodingType,
ref CRYPTOAPI_BLOB pName,
int dwStrType,
System.Text.StringBuilder psz,
int csz
);
[DllImport("crypt32.dll", CharSet = CharSet.Auto, SetLastError = true)]
public static extern IntPtr CertFindExtension(
[MarshalAs(UnmanagedType.LPStr)]String pszObjId,
int cExtensions,
IntPtr rgExtensions
);
[DllImport("crypt32.dll", EntryPoint="CertOpenStore", CharSet=CharSet.Auto, SetLastError=true)]
public static extern IntPtr CertOpenStoreStringPara(
int storeProvider,
int encodingType,
IntPtr hcryptProv,
int flags,
String pvPara);
[DllImport("crypt32.dll", EntryPoint="CertCloseStore", CharSet=CharSet.Auto, SetLastError=true)]
[return : MarshalAs(UnmanagedType.Bool)]
public static extern bool CertCloseStore(
IntPtr storeProvider,
int flags);
}
[StructLayout(LayoutKind.Sequential)]
public struct CRL_CONTEXT
{
public int dwCertEncodingType;
// TODO: This should be marshalled right, as BYTE[]
// [MarshalAs(UnmanagedType.LPArray, SizeParamIndex=2)]
public IntPtr pbCrlEncoded;
public uint cbCrlEncoded;
// TODO: You can marshal this as CRL_INFO directly
public IntPtr pCrlInfo;
public IntPtr hCertStore;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRL_INFO
{
public int dwVersion;
public CRYPT_ALGORITHM_IDENTIFIER SignatureAlgorithm;
public CRYPTOAPI_BLOB Issuer;
public Int64 ThisUpdate;
public Int64 NextUpdate;
public int cCRLEntry;
// TODO: This should be marshalled right, as CRL_ENTRY[] ??
public IntPtr rgCRLEntry;
public int cExtension;
public IntPtr rgExtension;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRYPT_ALGORITHM_IDENTIFIER
{
[MarshalAs(UnmanagedType.LPStr)]public String pszObjId;
public CRYPTOAPI_BLOB Parameters;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRYPTOAPI_BLOB
{
public int cbData;
public IntPtr pbData;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CRL_ENTRY
{
public CRYPTOAPI_BLOB SerialNumber;
public Int64 RevocationDate;
public int cExtension;
public IntPtr rgExtension;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)]
public struct CERT_EXTENSION
{
[MarshalAs(UnmanagedType.LPStr)]public String pszObjId;
public Boolean fCritical;
public CRYPTOAPI_BLOB Value;
}
}
}
}"