Problem execute watcher "Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null"

John_Martinez · November 17, 2020, 9:28pm

Hello experts, the following watcher should be executed when five failed logins occur in five minutes.

{
  "trigger": {
    "schedule": {
      "interval": "5m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "nalseg-winlogbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-5m",
                      "to": "now"
                    }
                  }
                }
              ],
              "filter": [
                {
                  "bool": {
                    "filter": [
                      {
                        "bool": {
                          "should": [
                            {
                              "bool": {
                                "should": [
                                  {
                                    "match_phrase": {
                                      "agent.hostname": "XXXXXXX"
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            },
                            {
                              "bool": {
                                "should": [
                                  {
                                    "match_phrase": {
                                      "agent.hostname": "XXXXXXX"
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            }
                          ],
                          "minimum_should_match": 1
                        }
                      },
                      {
                        "bool": {
                          "should": [
                            {
                              "match": {
                                "winlog.event_id": 4625
                              }
                            }
                          ],
                          "minimum_should_match": 1
                        }
                      }
                    ]
                  }
                }
              ],
              "should": [],
              "must_not": []
            }
          },
          "aggs": {
            "userid": {
              "terms": {
                "field": "winlog.event_data.TargetUserName"
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "script" : {
        "source" : "return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5"
    }
   },
  "actions": {
    "send_email": {
      "email": {
        "profile": "gmail",
        "attachments": {
          "XXXXXXXX.csv": {
            "reporting": {
              "url": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,
              "retries": 80,
              "interval": "4s",
              "auth": {
                "basic": {
                  "username": XXXXXXX,
                  "password": XXXXXXX
                }
              }
            }
          }
        },
        "to": [
          "XXXX@xxx"
        ],
        "subject": "XXXXXXXXXXXXXXXXXXXXXXXxx",
        "body": {
          "text": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX."
        }
      }
    }
  }
}

When executing, I have the following error

"exception": {
    "type": "script_exception",
    "reason": "runtime error",
    "script_stack": [
      "return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5",
      "                         ^---- HERE"
    ],
    "script": "return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5",
    "lang": "painless",
    "position": {
      "offset": 25,
      "start": 0,
      "end": 93
    },
    "caused_by": {
      "type": "null_pointer_exception",
      "reason": "Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null",
      "stack_trace": "java.lang.NullPointerException: Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:206)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:26)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:60)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:55)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:512)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:319)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction$1.doRun(TransportExecuteWatchAction.java:159)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:626)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:651)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)\n\tat java.base/java.lang.Thread.run(Thread.java:832)\n"
    },
    "stack_trace": "ScriptException[runtime error]; nested: NullPointerException[Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null];\n\tat org.elasticsearch.painless.PainlessScript.convertToScriptException(PainlessScript.java:96)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:80)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:60)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:55)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:512)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:319)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction$1.doRun(TransportExecuteWatchAction.java:159)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:626)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:651)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)\n\tat java.base/java.lang.Thread.run(Thread.java:832)\nCaused by: java.lang.NullPointerException: Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:206)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:26)\n\t... 11 more\n"
  }
}

wylie · November 19, 2020, 7:05pm

I think you need to type ctx.payload.aggregations.userid. You should use the simulate feature to see the actual output of your watcher.

system · December 17, 2020, 7:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.