Stephen Jeffrey Hindmarch created NIFI-13328:
------------------------------------------------
Summary: WindowsEventLogRecordReader should parse RenderingInfo
Key: NIFI-13328
URL: https://issues.apache.org/jira/browse/NIFI-13328
Project: Apache NiFi
Issue Type: Improvement
Components: Core Framework
Affects Versions: 1.24.0
Environment: Docker
Reporter: Stephen Jeffrey Hindmarch
If windows events are extracted from the windows event collector they will
include a "RenderingInfo" tag. However, this tag is not expected by the
WindowsEventLogReader and will throw an error and pass the flow file into the
failure relationship if the event contains the tag. This tag should be
supported as it is a legitimate part of the Windows Event XML schema.
See
[https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderingtype-complextype]
and
[https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector] .
In this particular use case, events are being collected from field technicians'
laptops to perform a cybersecurity audit after they have plugging their laptops
into customer networks.
However, when these events are processed through a WindowsEventLogReader, the
reader throws the following error.
{noformat}
ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
FlowFile[filename=ffca2ea2-edd5-4ad1-8380-2bc4c8dae1ac]; will route to failure:
org.apache.nifi.processor.exception.ProcessException: Could not parse incoming
data
- Caused by: org.apache.nifi.serialization.MalformedRecordException: Error
reading records to determine the FlowFile's RecordSchema
- Caused by: javax.xml.stream.XMLStreamException: Expecting <Event> tag but
found unknown/invalid tag RenderingInfo{noformat}
An example of the event record might be
{noformat}
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Service Control Manager"
Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control
Manager"/>
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
<EventRecordID>34153</EventRecordID>
<Correlation/>
<Execution ProcessID="684" ThreadID="3504"/>
<Channel>System</Channel>
<Computer>WIN-O05CNUCF16M.hdf.local</Computer>
<Security/>
</System>
<EventData>
<Data Name="param1">Smart Card Device Enumeration Service</Data>
<Data>param2</Data>
<Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
</EventData>
<RenderingInfo Culture="en-US">
<Message>This is a message</Message>
</RenderingInfo>
</Event>{noformat}
Removing the tag allows the event to be processed as normal.
One possible workaround is to use a ReplaceText processor to remove the tag
before reading, but this then involves either discarding the tag contents, or
using an enrichment fork to find some other way of processing it. Another
workaround is to use the XMLReader service, but this is a generic parser and
has a its own problems.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
