Winlogbeat 5.0 mapper_parsing_exception from Elasticsearch


(rhyse) #1

Hi

I am using Winlogbeat 5.0.0-alpha4 and am having trouble reading in the following event log

Log Name: Application Source: Group Policy Local Users and Groups Date: 04/08/2016 14:08:22 Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: SETHER01.support.local Description: The computer 'Administrator (built-in)' preference item in the 'Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.' This error was suppressed. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Group Policy Local Users and Groups" /> <EventID Qualifiers="34305">4098</EventID> <Level>3</Level> <Task>2</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2016-08-04T13:08:22.000000000Z" /> <EventRecordID>26907</EventRecordID> <Channel>Application</Channel> <Computer>SETHER01.support.local</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data>computer</Data> <Data>Administrator (built-in)</Data> <Data>Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}</Data> <Data>0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.</Data> </EventData> </Event>

When getting to logstash I am getting the following issue

beat"=>{"name"=>"SETHER01", "hostname"=>"SETHER01"}, "log_name"=>"Application", "event_id"=>4098, "event_data"=>{"param2"=>"Administrator (built-in)", "param3"=>"Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}", "param4"=>"0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.", "param1"=>"computer"}, "level"=>"Warning", "keywords"=>["Classic"], "user"=>{"identifier"=>"S-1-5-18", "name"=>"SYSTEM", "domain"=>"NT AUTHORITY", "type"=>"User"}, "tags"=>["support.local", "beats", "beats_input_codec_plain_applied", "_grokparsefailure"], "type"=>"wineventlog", "source_name"=>"Group Policy Local Users and Groups", "computer_name"=>"SETHER01.support.local", "host"=>"SETHER01"}, "event_data.AuthenticationPackageName"], "[type]"=>[{"message"=>"The computer 'Administrator (built-in)' preference item in the 'Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}' Group Policy Object did not apply because it failed with error code '0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.' This error was suppressed.", "@version"=>"1", "@timestamp"=>"2016-08-01T23:32:04.000Z", "record_number"=>"26709", "beat"=>{"name"=>"SETHER01", "hostname"=>"SETHER01"}, "log_name"=>"Application", "event_id"=>4098, "event_data"=>{"param2"=>"Administrator (built-in)", "param3"=>"Local Administrator Policy {7505FF97-CD2C-44B3-8667-8842768657BC}", "param4"=>"0x8007052a This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.", "param1"=>"computer"}, "level"=>"Warning", "keywords"=>["Classic"], "user"=>{"identifier"=>"S-1-5-18", "name"=>"SYSTEM", "domain"=>"NT AUTHORITY", "type"=>"User"}, "tags"=>["support.local", "beats", "beats_input_codec_plain_applied", "_grokparsefailure"], "type"=>"wineventlog", "source_name"=>"Group Policy Local Users and Groups", "computer_name"=>"SETHER01.support.local", "host"=>"SETHER01"}, "type"]}>>], :response=>{"create"=>{"_index"=>"winlogbeat-2016.08.01", "_type"=>"wineventlog", "_id"=>"AVZVsbgER563NkM5Cr8L", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [event_data.param2]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"Administrator (built-in)\""}}}}, :level=>:warn}

So the error seems to be with the 'Administrator (built-in)' part of the message, is there anyway to "normalise" this? either at the client or ideally the logstash side ?

I would assume this would affect any eventlog with ' ' written in it ?

Any help is appreciated

Thanks


(Andrew Kroh) #2

What does the mapping for this index look like? Can you query elasticsearch to get the mapping for that index and attach the output here. Also can you check you Elasticsearch log to see if there are any more details in the log when this error occurs.

Command to query the mapping:
curl http://<elasticsearch>:9200/winlogbeat-2016.08.01/_mapping?pretty


(rhyse) #3

Hi

the mapping wont fit into the text box (its over 5000 characters) , is there any other way I can get this to you ?

Thanks


(Andrew Kroh) #4

How about dropping the data into http://pastebin.com and sharing the link. Thanks


(rhyse) #5

Here it is

http://pastebin.com/hbQk0APH


(Andrew Kroh) #6

Did you install the index template for Winlogbeat? The index template should configure all of the event_data.* fields to be string types. It looks like the mapping for the field was detected as a date. This would occur if the first event with event_data.param2 had a date value and the provided index template was not installed.

              "param2" : {
                "type" : "date",
                "format" : "yyyy/MM/dd HH:mm:ss||yyyy/MM/dd||epoch_millis"
              },

Reference: Winlogbeat Reference [5.0] » Getting Started With Winlogbeat » Step 4: Loading the Index Template in Elasticsearch


(rhyse) #7

Honestly cant remember, but don't think so. Have done that now .
New mappings below

http://pastebin.com/diHUtczR


(Andrew Kroh) #8

Great, that should fix the issue. :slight_smile:


(system) #9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.