Stephen Jeffrey Hindmarch created NIFI-13330:
------------------------------------------------
Summary: WindowsEventLogReader fails with NPE if data tag is empty
Key: NIFI-13330
URL: https://issues.apache.org/jira/browse/NIFI-13330
Project: Apache NiFi
Issue Type: Bug
Components: Core Framework
Affects Versions: 1.24.0
Environment: Docker
Reporter: Stephen Jeffrey Hindmarch
If a windows event contains an empty data tag then the WindowsEventLogReader
will fail with a Null Pointer Exception instead of treating it as a null field.
If the tag contains the word null then this gets treated as string.
For example, parsing this
{noformat}
<Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Service Control Manager"
Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service Control
Manager"/>
<EventID Qualifiers="16384">7036</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
<EventRecordID>34153</EventRecordID>
<Correlation/>
<Execution ProcessID="684" ThreadID="3504"/>
<Channel>System</Channel>
<Computer>WIN-O05CNUCF16M.hdf.local</Computer>
<Security/>
</System>
<EventData>
<Data Name="param1">Smart Card Device Enumeration Service</Data>
<Data Name="CertIssuer"/>
<Data Name="CertSignature"/>
<Data Name="CertExpiryDate"/>
</EventData>
</Event>{noformat}
Results in the error
{noformat}
ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
FlowFile[filename=cdd10be3-9364-4458-bb89-69988b3e7a60]; will route to failure:
java.lang.NullPointerException{noformat}
And this (partial) stack trace.
{noformat}
2024-05-31 12:55:15 2024-05-31 11:55:15,722 ERROR [Timer-Driven Process
Thread-5] o.a.n.processors.standard.ConvertRecord
ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
StandardFlowFileRecord[uuid=cdd10be3-9364-4458-bb89-69988b3e7a60,claim=StandardContentClaim
[resourceClaim=StandardResourceClaim[id=1717153302525-1, container=default,
section=1], offset=6510,
length=880],offset=0,name=cdd10be3-9364-4458-bb89-69988b3e7a60,size=880]; will
route to failure
2024-05-31 12:55:15 java.lang.NullPointerException: null
2024-05-31 12:55:15 at java.base/java.util.Objects.requireNonNull(Unknown
Source)
2024-05-31 12:55:15 at
org.apache.nifi.serialization.record.RecordField.<init>(RecordField.java:70)
2024-05-31 12:55:15 at
org.apache.nifi.serialization.record.RecordField.<init>(RecordField.java:40)
2024-05-31 12:55:15 at
org.apache.nifi.windowsevent.WindowsEventLogRecordReader.getDataFieldsFrom(WindowsEventLogRecordReader.java:292){noformat}
What is expected is that the empty data fields should be parsed as null, for
example
{noformat}
[ {
"System" : {
"Provider" : {
"Guid" : "{555908d1-a6d7-4695-8e1e-26931d2012f4}",
"Name" : "Service Control Manager"
},
"EventID" : 7036,
"Version" : 0,
"Level" : 4,
"Task" : 0,
"Opcode" : 0,
"Keywords" : "0x8080000000000000",
"TimeCreated" : {
"SystemTime" : "2016-06-10T22:28:53.905233700Z"
},
"EventRecordID" : 34153,
"Correlation" : null,
"Execution" : {
"ThreadID" : 3504,
"ProcessID" : 684
},
"Channel" : "System",
"Computer" : "WIN-O05CNUCF16M.hdf.local",
"Security" : null
},
"EventData" : {
"param1" : "Smart Card Device Enumeration Service",
"CertIssuer" : null,
"CertSignature": null,
"CertExpiryDate": null
} ]{noformat}
A workaround is to use ReplaceText to replace any empty tags and either delete
them or insert a string value such as "null" or "-" which can be handled later
on by JSON readers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
