Runtime error: slice bounds out of range when ingesting Powershell logs

Elastic Stack Beats
1

I am trying to ingest Powershell logs using winlogbeat 7.12 using the following configuration:

- name: WEC-Powershell
  tags: [forwarded]
  processors:
    - script:
      when.equals.winlog.channel: Windows-PowerShell
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js

But when I do this I get the following error when starting winlogbeat and winlogbeat immediately crashes

2021-03-29T13:24:10.447-0700	INFO	beater/eventlogger.go:129	EventLog[WEC-Powershell] Stop processing.
panic: runtime error: slice bounds out of range [:18506] with capacity 16384

goroutine 1187 [running]:
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.FormatEventString(0xc000000009, 0x100003c, 0xc006d04cd0, 0xa, 0x2000074, 0x0, 0xc001068000, 0x4000, 0x4000, 0x333bb60, ...)
	/go/src/github.com/elastic/beats/winlogbeat/sys/wineventlog/wineventlog_windows.go:419 +0x405
github.com/elastic/beats/v7/winlogbeat/sys/wineventlog.RenderEvent(0x100003c, 0xc000000000, 0xc001068000, 0x4000, 0x4000, 0xc0042070c0, 0x333bb60, 0xc00095d140, 0xc004207640, 0x40)
	/go/src/github.com/elastic/beats/winlogbeat/sys/wineventlog/wineventlog_windows.go:241 +0x112
github.com/elastic/beats/v7/winlogbeat/eventlog.newWinEventLog.func4(0x100003c, 0x333bb60, 0xc00095d140, 0x69, 0x0)
	/go/src/github.com/elastic/beats/winlogbeat/eventlog/wineventlog.go:433 +0xa7
github.com/elastic/beats/v7/winlogbeat/eventlog.(*winEventLog).Read(0xc0002d3400, 0x0, 0x0, 0x0, 0x0, 0x0)
	/go/src/github.com/elastic/beats/winlogbeat/eventlog/wineventlog.go:251 +0x295
github.com/elastic/beats/v7/winlogbeat/beater.(*eventLogger).run(0xc000909b30, 0xc0001cd140, 0x33584c0, 0xc00050a280, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/go/src/github.com/elastic/beats/winlogbeat/beater/eventlogger.go:147 +0x46e
github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).processEventLog(0xc00019a1c0, 0xc000da3310, 0xc000909b30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/go/src/github.com/elastic/beats/winlogbeat/beater/winlogbeat.go:174 +0xd6
created by github.com/elastic/beats/v7/winlogbeat/beater.(*Winlogbeat).Run
	/go/src/github.com/elastic/beats/winlogbeat/beater/winlogbeat.go:142 +0x35a
2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.