[
https://issues.apache.org/jira/browse/NIFI-13328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Jeffrey Hindmarch updated NIFI-13328:
---------------------------------------------
Description:
If windows events are extracted from the windows event collector they will
include a "RenderingInfo" tag. However, this tag is not expected by the
WindowsEventLogReader and will throw an error and pass the flow file into the
failure relationship if the event contains the tag. This tag should be
supported as it is a legitimate part of the Windows Event XML schema.
See
[https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderingtype-complextype]
and
[https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector] .
In this particular use case, events are being collected from field technicians'
laptops to perform a cybersecurity audit after they have plugging their laptops
into customer networks.
When these events are processed through a WindowsEventLogReader, the reader
throws the following error.
{noformat}
ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
FlowFile[filename=ffca2ea2-edd5-4ad1-8380-2bc4c8dae1ac]; will route to failure:
org.apache.nifi.processor.exception.ProcessException: Could not parse incoming
data
- Caused by: org.apache.nifi.serialization.MalformedRecordException: Error
reading records to determine the FlowFile's RecordSchema
- Caused by: javax.xml.stream.XMLStreamException: Expecting <Event> tag but
found unknown/invalid tag RenderingInfo{noformat}
An example of the event record might be
{noformat}
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Service Control Manager"
Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control
Manager"/>
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
<EventRecordID>34153</EventRecordID>
<Correlation/>
<Execution ProcessID="684" ThreadID="3504"/>
<Channel>System</Channel>
<Computer>WIN-O05CNUCF16M.hdf.local</Computer>
<Security/>
</System>
<EventData>
<Data Name="param1">Smart Card Device Enumeration Service</Data>
<Data>param2</Data>
<Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
</EventData>
<RenderingInfo Culture="en-US">
<Message>This is a message</Message>
</RenderingInfo>
</Event>{noformat}
Removing the tag allows the event to be processed as normal.
One possible workaround is to use a ReplaceText processor to remove the tag
before reading, but this then involves either discarding the tag contents, or
using an enrichment fork to find some other way of processing it. Another
workaround is to use the XMLReader service, but this is a generic parser and
has a its own problems.
was:
If windows events are extracted from the windows event collector they will
include a "RenderingInfo" tag. However, this tag is not expected by the
WindowsEventLogReader and will throw an error and pass the flow file into the
failure relationship if the event contains the tag. This tag should be
supported as it is a legitimate part of the Windows Event XML schema.
See
[https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderingtype-complextype]
and
[https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector] .
In this particular use case, events are being collected from field technicians'
laptops to perform a cybersecurity audit after they have plugging their laptops
into customer networks.
However, when these events are processed through a WindowsEventLogReader, the
reader throws the following error.
{noformat}
ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
FlowFile[filename=ffca2ea2-edd5-4ad1-8380-2bc4c8dae1ac]; will route to failure:
org.apache.nifi.processor.exception.ProcessException: Could not parse incoming
data
- Caused by: org.apache.nifi.serialization.MalformedRecordException: Error
reading records to determine the FlowFile's RecordSchema
- Caused by: javax.xml.stream.XMLStreamException: Expecting <Event> tag but
found unknown/invalid tag RenderingInfo{noformat}
An example of the event record might be
{noformat}
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Service Control Manager"
Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control
Manager"/>
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
<EventRecordID>34153</EventRecordID>
<Correlation/>
<Execution ProcessID="684" ThreadID="3504"/>
<Channel>System</Channel>
<Computer>WIN-O05CNUCF16M.hdf.local</Computer>
<Security/>
</System>
<EventData>
<Data Name="param1">Smart Card Device Enumeration Service</Data>
<Data>param2</Data>
<Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
</EventData>
<RenderingInfo Culture="en-US">
<Message>This is a message</Message>
</RenderingInfo>
</Event>{noformat}
Removing the tag allows the event to be processed as normal.
One possible workaround is to use a ReplaceText processor to remove the tag
before reading, but this then involves either discarding the tag contents, or
using an enrichment fork to find some other way of processing it. Another
workaround is to use the XMLReader service, but this is a generic parser and
has a its own problems.
> WindowsEventLogRecordReader should parse RenderingInfo
> ------------------------------------------------------
>
> Key: NIFI-13328
> URL: https://issues.apache.org/jira/browse/NIFI-13328
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.24.0
> Environment: Docker
> Reporter: Stephen Jeffrey Hindmarch
> Priority: Major
>
> If windows events are extracted from the windows event collector they will
> include a "RenderingInfo" tag. However, this tag is not expected by the
> WindowsEventLogReader and will throw an error and pass the flow file into the
> failure relationship if the event contains the tag. This tag should be
> supported as it is a legitimate part of the Windows Event XML schema.
> See
> [https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderingtype-complextype]
> and
> [https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector]
> . In this particular use case, events are being collected from field
> technicians' laptops to perform a cybersecurity audit after they have
> plugging their laptops into customer networks.
> When these events are processed through a WindowsEventLogReader, the reader
> throws the following error.
> {noformat}
> ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
> FlowFile[filename=ffca2ea2-edd5-4ad1-8380-2bc4c8dae1ac]; will route to
> failure: org.apache.nifi.processor.exception.ProcessException: Could not
> parse incoming data
> - Caused by: org.apache.nifi.serialization.MalformedRecordException: Error
> reading records to determine the FlowFile's RecordSchema
> - Caused by: javax.xml.stream.XMLStreamException: Expecting <Event> tag but
> found unknown/invalid tag RenderingInfo{noformat}
> An example of the event record might be
> {noformat}
> <Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
> <System>
> <Provider Name="Service Control Manager"
> Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service
> Control Manager"/>
> <EventID Qualifiers="16384">7036</EventID>
> <Version>0</Version>
> <Level>4</Level>
> <Task>0</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8080000000000000</Keywords>
> <TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
> <EventRecordID>34153</EventRecordID>
> <Correlation/>
> <Execution ProcessID="684" ThreadID="3504"/>
> <Channel>System</Channel>
> <Computer>WIN-O05CNUCF16M.hdf.local</Computer>
> <Security/>
> </System>
> <EventData>
> <Data Name="param1">Smart Card Device Enumeration Service</Data>
> <Data>param2</Data>
>
> <Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
> </EventData>
> <RenderingInfo Culture="en-US">
> <Message>This is a message</Message>
> </RenderingInfo>
> </Event>{noformat}
> Removing the tag allows the event to be processed as normal.
> One possible workaround is to use a ReplaceText processor to remove the tag
> before reading, but this then involves either discarding the tag contents, or
> using an enrichment fork to find some other way of processing it. Another
> workaround is to use the XMLReader service, but this is a generic parser and
> has a its own problems.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
