Winlogbeat 5.0 mapper_parsing_exception from Elasticsearch

rhyse · August 4, 2016, 1:38pm

Hi

I am using Winlogbeat 5.0.0-alpha4 and am having trouble reading in the following event log

Log Name: Application Source: Group Policy Local Users and Groups Date: 04/08/2016 14:08:22 Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: SETHER01.support.local Description: The computer 'Administrator (built-in)' preference item in the 'Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.' This error was suppressed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Group Policy Local Users and Groups" /> <EventID Qualifiers="34305">4098</EventID> <Level>3</Level> <Task>2</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-08-04T13:08:22.000000000Z" /> <EventRecordID>26907</EventRecordID> <Channel>Application</Channel> <Computer>SETHER01.support.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data>computer</Data> <Data>Administrator (built-in)</Data> <Data>Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}</Data> <Data>0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.</Data> </EventData> </Event>

When getting to logstash I am getting the following issue

beat"=>{"name"=>"SETHER01", "hostname"=>"SETHER01"}, "log_name"=>"Application", "event_id"=>4098, "event_data"=>{"param2"=>"Administrator (built-in)", "param3"=>"Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}", "param4"=>"0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.", "param1"=>"computer"}, "level"=>"Warning", "keywords"=>["Classic"], "user"=>{"identifier"=>"S-1-5-18", "name"=>"SYSTEM", "domain"=>"NT AUTHORITY", "type"=>"User"}, "tags"=>["support.local", "beats", "beats_input_codec_plain_applied", "_grokparsefailure"], "type"=>"wineventlog", "source_name"=>"Group Policy Local Users and Groups", "computer_name"=>"SETHER01.support.local", "host"=>"SETHER01"}, "event_data.AuthenticationPackageName"], "[type]"=>[{"message"=>"The computer 'Administrator (built-in)' preference item in the 'Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.' This error was suppressed.", "@version"=>"1", "@timestamp"=>"2016-08-01T23:32:04.000Z", "record_number"=>"26709", "beat"=>{"name"=>"SETHER01", "hostname"=>"SETHER01"}, "log_name"=>"Application", "event_id"=>4098, "event_data"=>{"param2"=>"Administrator (built-in)", "param3"=>"Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}", "param4"=>"0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.", "param1"=>"computer"}, "level"=>"Warning", "keywords"=>["Classic"], "user"=>{"identifier"=>"S-1-5-18", "name"=>"SYSTEM", "domain"=>"NT AUTHORITY", "type"=>"User"}, "tags"=>["support.local", "beats", "beats_input_codec_plain_applied", "_grokparsefailure"], "type"=>"wineventlog", "source_name"=>"Group Policy Local Users and Groups", "computer_name"=>"SETHER01.support.local", "host"=>"SETHER01"}, "type"]}>>], :response=>{"create"=>{"_index"=>"winlogbeat-2016.08.01", "_type"=>"wineventlog", "_id"=>"AVZVsbgER563NkM5Cr8L", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [event_data.param2]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Administrator (built-in)\""}}}}, :level=>:warn}

So the error seems to be with the 'Administrator (built-in)' part of the message, is there anyway to "normalise" this? either at the client or ideally the logstash side ?

I would assume this would affect any eventlog with ' ' written in it ?

Any help is appreciated

Thanks

andrewkroh · August 4, 2016, 2:11pm

What does the mapping for this index look like? Can you query elasticsearch to get the mapping for that index and attach the output here. Also can you check you Elasticsearch log to see if there are any more details in the log when this error occurs.

Command to query the mapping:
curl http://<elasticsearch>:9200/winlogbeat-2016.08.01/_mapping?pretty

rhyse · August 4, 2016, 2:16pm

Hi

the mapping wont fit into the text box (its over 5000 characters) , is there any other way I can get this to you ?

Thanks

andrewkroh · August 4, 2016, 2:18pm

How about dropping the data into http://pastebin.com and sharing the link. Thanks

rhyse · August 4, 2016, 2:25pm

Here it is

http://pastebin.com/hbQk0APH

andrewkroh · August 4, 2016, 2:56pm

Did you install the index template for Winlogbeat? The index template should configure all of the event_data.* fields to be string types. It looks like the mapping for the field was detected as a date. This would occur if the first event with event_data.param2 had a date value and the provided index template was not installed.

              "param2" : {
                "type" : "date",
                "format" : "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
              },

Reference: Winlogbeat Reference [5.0] » Getting Started With Winlogbeat » Step 4: Loading the Index Template in Elasticsearch

rhyse · August 4, 2016, 3:53pm

Honestly cant remember, but don't think so. Have done that now .
New mappings below

http://pastebin.com/diHUtczR

andrewkroh · August 4, 2016, 3:54pm

Great, that should fix the issue.

system · August 25, 2016, 3:55pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.