[
https://issues.apache.org/jira/browse/NIFI-13328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Jeffrey Hindmarch updated NIFI-13328:
---------------------------------------------
Summary: WindowsEventLogReader should parse RenderingInfo (was:
WindowsEventLogRecordReader should parse RenderingInfo)
> WindowsEventLogReader should parse RenderingInfo
> ------------------------------------------------
>
> Key: NIFI-13328
> URL: https://issues.apache.org/jira/browse/NIFI-13328
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.24.0
> Environment: Docker
> Reporter: Stephen Jeffrey Hindmarch
> Priority: Major
>
> If windows events are extracted from the windows event collector they will
> include a "RenderingInfo" tag. However, this tag is not expected by the
> WindowsEventLogReader and will throw an error and pass the flow file into the
> failure relationship if the event contains the tag. This tag should be
> supported as it is a legitimate part of the Windows Event XML schema.
> See
> [https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-renderingtype-complextype]
> and
> [https://learn.microsoft.com/en-us/windows/win32/wec/windows-event-collector]
> . In this particular use case, events are being collected from field
> technicians' laptops to perform a cybersecurity audit after they have
> plugging their laptops into customer networks.
> When these events are processed through a WindowsEventLogReader, the reader
> throws the following error.
> {noformat}
> ConvertRecord[id=7b99392f-2b54-139e-8791-349e930904cd] Failed to process
> FlowFile[filename=ffca2ea2-edd5-4ad1-8380-2bc4c8dae1ac]; will route to
> failure: org.apache.nifi.processor.exception.ProcessException: Could not
> parse incoming data
> - Caused by: org.apache.nifi.serialization.MalformedRecordException: Error
> reading records to determine the FlowFile's RecordSchema
> - Caused by: javax.xml.stream.XMLStreamException: Expecting <Event> tag but
> found unknown/invalid tag RenderingInfo{noformat}
> An example of the event record might be
> {noformat}
> <Event xmlns="https://schemas.microsoft.com/win/2004/08/events/event";>
> <System>
> <Provider Name="Service Control Manager"
> Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}" EventSourceName="Service
> Control Manager"/>
> <EventID Qualifiers="16384">7036</EventID>
> <Version>0</Version>
> <Level>4</Level>
> <Task>0</Task>
> <Opcode>0</Opcode>
> <Keywords>0x8080000000000000</Keywords>
> <TimeCreated SystemTime="2016-06-10T22:28:53.905233700Z"/>
> <EventRecordID>34153</EventRecordID>
> <Correlation/>
> <Execution ProcessID="684" ThreadID="3504"/>
> <Channel>System</Channel>
> <Computer>WIN-O05CNUCF16M.hdf.local</Computer>
> <Security/>
> </System>
> <EventData>
> <Data Name="param1">Smart Card Device Enumeration Service</Data>
> <Data>param2</Data>
>
> <Binary>5300630044006500760069006300650045006E0075006D002F0034000000</Binary>
> </EventData>
> <RenderingInfo Culture="en-US">
> <Message>This is a message</Message>
> </RenderingInfo>
> </Event>{noformat}
> Removing the tag allows the event to be processed as normal.
> One possible workaround is to use a ReplaceText processor to remove the tag
> before reading, but this then involves either discarding the tag contents, or
> using an enrichment fork to find some other way of processing it. Another
> workaround is to use the XMLReader service, but this is a generic parser and
> has a its own problems.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
