windows_eventlog2 invalid/corrupt output #79
Description
Describe the bug
Possible buffer overflow? Original issue posted on the Fluentd Google Group showed there were unexpected CJK characters in event logs. Upon further investigation these are not CJK characters, but rather botched unicode bytes appended to the original text after the "end of text" character. This leads me to believe the windows_eventlog2 plugin may be reading past the desired bytes in memory and grabbing extra data.
Here is how it looks:
"Description":"The resource loader failed to find MUI file.
㐳㈸‧獉畃牲湥㵴琧畲❥㸯⼼潂歯慭歲楌瑳>>䏐涔倀者䈼潯浫牡䱫獩㹴†䈼潯浫牡桃湡敮㵬洧捩潲潳瑦眭湩潤獷欭牥敮湰⽰潣普杩牵瑡潩❮删捥牯䥤㵤㈧㐱✱䤠䍳牵敲瑮✽牴敵⼧ാ㰊䈯潯浫牡䱫獩㹴㸀",
To Reproduce
Configure Fluentd to read all event logs with "read_all_channels true". This does not occur on the top-level Application, System, and Security logs. Coonfigure the match to dump all output to a local json file for convenience.
In the below code I had already narrowed it down to the wer-payloadhealth log, but that may not be consistent on every system, which is why I recommended using "read_all_channels true".
<source>
@type windows_eventlog2
@id windows_eventlog2
channels "microsoft-windows-wer-payloadhealth/operational"
preserve_qualifiers_on_hash true
read_existing_events
read_interval 10
tag winevt.raw2
render_as_xml false
rate_limit 5000
<storage>
@type local
persistent true
path "C:/Program Files/appname/Fluentd/pos/winevt2.json"
</storage>
</source>
<match winevt.raw2>
@type file
path "C:/Temp/${tag}.%Y%m%d%H%M"
path_suffix ".json"
append true
<format>
@type json
</format>
<buffer tag,time>
timekey 1m
timekey_use_utc true
timekey_wait 1m
chunk_limit_size 500MB
flush_thread_count 2
</buffer>
</match>
Expected behavior
The output json file will contain numerous Description elements with what appears to be CJK text. Many if not all will be associated with the what should be an empty Description.
The corresponding Description in Windows will likely be "The Description for event ID xx .... cannot be found."
Grab a Description text from the log and run it through a converter, such as the C# below:
string originalString = "paste string here";
foreach (char c in originalString)
{
byte[] utf8Bytes = Encoding.Unicode.GetBytes(c.ToString());
Console.WriteLine($"{(int)c} - { Encoding.UTF8.GetString(utf8Bytes)}");
}
EDIT the 3 printed below is actually "13" (carriage return).
Something that stands out is the "3", which is the "end of text" character. For now I can add a check to that in my code to signify what is valid text.
You can see after it gets past "10", the line feed character, everything goes a bit wonky.
Here is a snippet of the output:
Colums are Integer value - character
77 - M
85 - U
73 - I
32 -
102 - f
105 - i
108 - l
101 - e
46 - .
3 -
10 -
13363 - 34
12856 - 82
8231 - '
29513 - Is
30019 - Cu
29298 - rr
28261 - en
15732 - t=
29735 - 't
30066 - ru
10085 - e'
15919 - />
2573 -
Your Environment
- Fluentd version: 1.11.1 and 1.12.3
- TD Agent version: 3.8.1 and 4.1.1
- Operating system: Windows Server 2019 and Windows 10 Pro
- Kernel version:Your Configuration
<source>
@type windows_eventlog2
@id windows_eventlog2
channels "microsoft-windows-wer-payloadhealth/operational"
preserve_qualifiers_on_hash true
read_existing_events
read_interval 10
tag winevt.raw2
render_as_xml false
rate_limit 5000
<storage>
@type local
persistent true
path "C:/Program Files/appname/Fluentd/pos/winevt2.json"
</storage>
</source>
<match winevt.raw2>
@type file
path "C:/Temp/${tag}.%Y%m%d%H%M"
path_suffix ".json"
append true
<format>
@type json
</format>
<buffer tag,time>
timekey 1m
timekey_use_utc true
timekey_wait 1m
chunk_limit_size 500MB
flush_thread_count 2
</buffer>
</match>
Your Error Log
No errors.Additional context
No response