Hello,
I'd like to draw attention to what I believe is a bug in winlogbeat v9+ parsing logic for ETW events declared with inType="win:AnsiString". Long story short, the strings are not trimmed to the null terminator.
I made a PR a while ago, which is still waiting for review. I would appreciate if someone could take a look -- happy to discuss further either here on under the PR.
Thanks!
Hi @AltairQ,
Thank you for reaching out. My team is the one that needs to review your PR. I'm not sure what happened as far as tracking it, but I've found it in my github queue now. I'll have someone engage with you on the PR soon though.
1 Like